So I have a subsearch that is the same in a couple panels and their searches, but I've been looking for a way to do that subsearch once and call those results into those panels. I've only come across post process searching that seems to be in the right direction, but from all the examples I've seen, it doesn't allow you to use those results as a subsearch, but only as the basis search or front end of the search. Is there a way to have a similar post process searching except for a subsearch statement? ... View more

I am making a dashboard that takes in a network ID and outputs information about that user. Many of the searches require finding the main IP address of the user. I have a macro to output the IP from an inputted Network ID. The problem is the macro can take some time to finish, so it adds on to the speed of finding search results. And if you compound that onto a lot of panels (10+) finding all results can be slowed heavily, especially since I'm looking to add more panels. Is there a way to just do the macro once and set the result to a token/variable and just plug that variable into the panel searches rather than plugging in the macro and running the macro for each search? User inputs network ID -> macro runs on that net ID and stores IP in a variable -> plug in variable in different searches ... View more

So I am trying to output audit failures in a readable manner while displaying relevant data. I am trying to output the count for the number of times that Process_Name has failed and display its top Task_Category and have this table for each computer_name the user logged in on. I am trying to get a table that looks like this Computer_Name | Process_Name | Task_Category | count _______________________________________________________________ asdfkjhfu$ |wineventExample1 |Login |20 |wineventExample3 |Sensitive Priv |30 |wineventExample2 |derp |10 ________________________________________________________________ asdflkja$ |wineventExample1 |Login |60 |wineventExample5 |Sensitive Priv |40 |wineventExample2 |derp |20 My Search for now looks as follows (I know I'm not close, but this will give you an idea of field names/sourcetypes: sourcetype=wineventlog:forwardedevents Account_Name=Alpha Keywords="Audit Failure"|stats count(Process_Name) as count by Process_Name|appendcols [search sourcetype=wineventlog:forwardedevents Account_Name=Alpha Keywords="Audit Failure"|top limit=1 TaskCategory by Process_Name|fields TaskCategory]|table Computer_Name, Process_Name, TaskCategory,count This outputs a table like this Computer_Name | Process_Name | Task_Category | count _______________________________________________________________ |wineventExample1 |Login |20 |wineventExample3 |Sensitive Priv |30 |wineventExample2 |derp |10 ... View more

I am trying to get the output to look like this Process Name | 10:00:00 | 10:10:00| 10:20:00...etc _________________________________________________ C:\ | 0 | 3 | 1 C:\ | 1 | 2 | 0 My Search currently looks like this: search sourcetype="Beta" Account_Name=Alpha|eval time=strftime(_time, "%H:%M:%S")|bucket time span=10m|chart count over New_Process by time It instead outputs Process Name | 10:00:01 | 10:00:02| 10:00:03...etc _________________________________________________ C:\ | 0 | 3 | 1 C:\ | 1 | 2 | 0 Any idea how to fix this? or what may be wrong? ... View more

The sourceType I was told to mess with has a "Name" field. The field sometimes holds the value of a users Network ID like johnSmith, but other times it will have a computer_name like RUIOEFJ876V8$. computer_name always ends in a $ sign. Is it possible to split these into two buckets when tabling my search? I tried using the regex command, but I'm not sure how to implement it with buckets, so I wanted to check if anyone had any ideas with that way of solving the issue or if they had an opinion of a better way to solve it. ... View more

Beginner here, I've been trying to practice subsearching, but I've come across a problem I couldn't figure out how to get around. So I'm trying to search source A and find the top IP corresponding with the net-id. This search works when I do it separately and outputs an IP address. From there I want to search through another source type for info corresponding with this IP address. My full search looks like this search source=B [search source=A net_id=Alpha| dedup ip|top limit=1 ip| fields ip] If I manually enter the ip like so: search source=B "___.___._.___" <- (same numbers that output if I search source=A net_id=Alpha|dedup ip|top limit=1 ip|fields ip ) it outputs expected results, but if I try and do it in one go like its written above using a subsearch, I get no results. Any ideas? ... View more