×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Splunk2095
Engager
Member since: ‎05-11-2023
‎05-11-2023
Community Statistics
Posts 5
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎05-11-2023
View All

Re: How to exclude results from joined subsearches...

by in Splunk Search
‎05-11-2023 07:52 AM
‎05-11-2023 07:52 AM
I got it working!!!! After specifying the original sourcetypes in the beginning, I did a pipe to fields and specified all fields that were going to be included in some form or another from each of the sourcetypes. Then I tested by having a wildcard for the detection name and having |where sourcetype="FalsePositive".  I saw 4 results and wrote down the detect_id's.  Then I ran the same search but did |where sourcetype!="FalsePositive" and it displayed even more events, but none with the detect_id that showed up when including "FalsePositive". Brain is fried hope that makes sense lol.  Either way, thank you so much!  I wouldn't have reached this point without your help.  Also, the search runs so much faster than using join ofc :). ... View more

Re: How to exclude results from joined subsearches...

by in Splunk Search
‎05-11-2023 05:57 AM
‎05-11-2023 05:57 AM
Hmm so the search does run, but it is never producing results.  I tested multiple variations, but this is the jist:   index=main (sourcetype="DetectionName" AND detect_name="Bypass UAC") OR sourcetype="ProcessInfo" OR sourcetype="FalsePositive" | eventstats values(sourcetype) as sourcetype by Detection_id | where sourcetype!="FalsePositive" AND sourcetype="DetectionName" AND sourcetype="ProcessInfo" | stats values(ComputerName) as ComputerName values(detect_description) as detect_description values(detect_name) as detect_name values(detect_scenario) as detect_scenario values(Process) as Process values(CommandLine) as CommandLine by Detection_id When I take away the where clause it runs but of course produces a long list of stuff where the majority are missing key field values (detect_description, detect_name, detect_scenario are all unique fields in the DetectionName sourcetype while Process and CommandLine are unique fields in the ProcessInfo sourcetype).       ... View more

Re: How to exclude results from joined subsearches...

by in Splunk Search
‎05-11-2023 04:30 AM
‎05-11-2023 04:30 AM
Thanks for the quick response!  and yes I hate join... making Splunk do 2 searches every time it runs breaks my heart. Will your example also work if for instance, I want my search to be based on sourcetype="DetectionName" AND detect_name="Bypass UAC" ?  So putting that first one in brackets? Essentially I will be having a scheduled search for each detection name so events can be grouped and analyzed based on the attack tactic. ... View more

How to exclude results from joined subsearches if ...

by in Splunk Search
‎05-11-2023 03:41 AM
‎05-11-2023 03:41 AM
Hi All, I ran into a tricky one and can’t wrap my head around it (or if it is even possible).  The use case is as follows: There are 3 sourcetypes that share a common field “Detection_id”.  This field has a unique value that appears in all 3 sourcetypes. The first sourcetype is “DetectionName” and the 2nd sourcetype is “ProcessInfo”.  I did a join based on the “Detection_id” field so that way I can see my detection names displayed in a table right next to the process information responsible for the detection from the 2nd sourcetype.  That search works fine. This is where it gets a bit tricky.  The 3rd sourcetype is called “FalsePositive” meaning it was a detection that was already investigated and considered false positive.  We do not want any events displaying in our table from the first two searches IF the same unique “Detection_id” value also appears in the “FalsePositive” sourcetype.  That way time isn’t wasted scrolling through detections that were already investigated. Any thoughts on the best way to handle this and/or if it is even possible? Appreciate any answers or feedback. ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎05-11-2023 10:42 AM