cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
dcfrench3
Engager
Member since: ‎01-09-2024
‎01-10-2024
Community Statistics
Posts 2
Solutions 0
Karma Given 1
Karma Received 0
Member Since ‎01-09-2024
Activity Feed
Topics I've Started
View All

Re: An Alternative to Subsearch

by in Splunk Search
‎01-10-2024 01:28 PM
‎01-10-2024 01:28 PM
Hi @gcusello and @dtburrows3 , Thanks for getting back to me. Sorry if my question wasn't 100% clear. So my current goal is that I'm attempting to create a dashboard. In one panel I have a base search of: index="windows_logs" LogName="Security" Account_Domain=EXCH OR Account_Domain="-" EventCode="4625" OR EventCode="4740" user="john@doe.com" OR user="johndoe" This is to grab the reason an account was locked out and would also show the source IP of that information. I essentially need to grab the IP information from this initial search so I can use it in the follow search: index="iis_logs" sourcetype="iis" s_port="443" sc_status=401 cs_method!="HEAD" c_ip=<source IP information from initial search> I tried to use a subsearch, but being the I am pulling from an index with iis logs, it's too large of a search and times out before it can complete. ... View more

An Alternative to Subsearch

by in Splunk Search
‎01-10-2024 07:35 AM
‎01-10-2024 07:35 AM
Hello, I am trying to use a subsearch in order to create a dashboard, but being the subsearches have limitations it is timing out and not producing results. I know the code works when I shorten the duration of time and logs it's ingesting, but that is not an acceptable solution for this dashboard. Is there a better way to write this code or another way for me to produce the results?   index="iis_logs" sourcetype="iis" s_port="443" sc_status=401 cs_method!="HEAD" [search index="windows_logs" LogName="Security" Account_Domain=EXCH OR Account_Domain="-" EventCode="4625" OR EventCode="4740" user="john@doe.com" OR user="johndoe" | where NOT cidrmatch("192.168.0.0/16",Source_Network_Address) | top limit=1 Source_Network_Address | dedup Source_Network_Address | rename Source_Network_Address as c_ip | table c_ip]   My goal is to take information from first panel in my dashboard and then use that information to do a different search in another panel       ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎01-10-2024 06:16 PM
Karma given to
View All