Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

two search result at the same time

khanlarloo
Explorer
‎01-31-2022 02:48 AM

I want to have a search, the output of which is the next search stream, provided that each occurred at a common time.
For example: from a source with a specific port is connected to several destinations, and then the search destinations are the first source of the next search, provided that each occurred at the same time.

search1:

index=fgt src=172.26.122.1 dest_port=443 (dest=172.20.120.1 OR dest=172.20.120.2) | stats count by src,dest,_time

search 2:

search1 (src=172.20.120.1 OR src=172.20.120.2) | stats count by src,dest,_time

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎01-31-2022 03:09 AM

I don't understand.

search1 (src=172.20.120.1 OR src=172.20.120.2)

effectively expands (assuming that you wanted base search only, not the stats part) to

index=fgt src=172.26.122.1 dest_port=443 (dest=172.20.120.1 OR dest=172.20.120.2) (src=172.20.120.1 OR src=172.20.120.2)

Which has two contradicting conditions

src=172.26.122.1

 and

(src=172.20.120.1 OR src=172.20.120.2)

So effectively it would match nothing at all.

So please elaborate a bit more on what you want to achieve.

0 Karma
Reply

khanlarloo
Explorer
‎01-31-2022 03:15 AM

no, i want the dest field in search1 be the src field in search 2

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-31-2022 03:01 AM

Hi @khanlarloo,

let me understand:

you have a search the lists some ssrc values and you want, clicking on one of the resulted values, to run a new search equale to the original, but adding the clicked value, is this correct?

You can easily do this with drilldown, but in a different dashboard.

You can see how to configure drilldown installing on your system the Splunk Dashboard Examples app that describes how to configure drilldown in a different panel of the same dashbord or in a different dashboard.

In few words, you have to configure drilldown using the gui or using source, the result will be something like this:

<drilldown>
   <link target="_blank">/app/your_app/secondary_dashboard?src=$row.src</link>
</drilldown>

and in the secondary dashboard create a panel with a search like this:

index=fgt src=172.26.122.1 dest_port=443 (dest=172.20.120.1 OR dest=172.20.120.2) src=$src$
| stats count by src,dest,_time

Ciao.

Giuseppe

0 Karma
Reply

khanlarloo
Explorer
‎01-31-2022 03:09 AM

No i don't want the drilldown search, i want to have one result from two search

time is important what time that two result happend in two search. the dest field in search1 be the src in search 2 but in one query

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...