- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Combinding two searches into one
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Combinding two searches into one
Hello all,
I do appreciate this question has been asked several times, but I am struggling to understand how to link searches together.
I have search A that highlights what src_ip communicated with dest_ip on a specific port-
(index=netfw OR index=netproxy) AND ("192.168.*.*") AND (dest_port="23")
| table src_ip, dest_ip, dest_port, _time
I then take the results from the src_ip and link it to the second search in a new tab to find the computer hostname from the src_ip via DHCP logs -
index=oswinsec sourcetype=dhcp ip=192.168.*.*
| table ip, dest, date, time
Is it at all possible to combine these so when I do a search on a specific destination IP, the results src_ip is converted into the hostnames found in the DHCP source type?
thank you
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't know if this gives exactly what you mean and I can't test it but maybe you can give it a try:
(index=netfw OR index=netproxy) AND ("192.168.*.*") AND (dest_port="23")
| where dest_ip="xxx"
| table src_ip, dest_ip, dest_port, _time
| join type=outer src_ip
[ search index=oswinsec sourcetype=dhcp ip=192.168.*.*
| eval src_ip=ip]
| table src_ip, dest, date, time hostname
If it doesn't work can you describe what goes wrong?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi thank you for the post
So the top part
(index=netfw OR index=netproxy) AND ("192.168.*.*") AND (dest_port="23")after the first AND, the IP here should be dest_ip="192.168.*.* followed by the dest port
what i want, is for the IPs found (src_ip) communicating with the dest_ip to be converted into hotnames from the -
index=oswinsec sourcetype=dhcp
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm not sure if your case is clear to me.
In general, you have a collection A and you have a collection B. There is at least 1 field in common. You can use that field to relate the collections with a join. To relate the fields they must have the same name. You can use eval for that. Once they are related you can use the fields in collection B as output of your search.
So:
(index=netfw OR index=netproxy) AND dest_ip=("192.168.*.*") AND (dest_port="23")gives a src_ip as a result.
Your collection B is
index=oswinsec sourcetype=dhcp ip=192.168.*.*The ip you use here is the src_ip of collection B. You should use
eval src_ip=ipif you want to use src_ip in the join (because the fields in the join must have the same name).
So maybe something like this:
(index=netfw OR index=netproxy) AND ("192.168.*.*") AND (dest_port="23")
| where dest_ip="192.168.*.*"
| join type=inner src_ip
[ search index=oswinsec sourcetype=dhcp
]
| table date time src_ip dest_ip hostname
if in the index=oswinsec the src_ip has a different name you could use
eval src_ip=[different name for src_ip]- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
(index=netfw OR index=netproxy) AND ("192.168.*.*") AND (dest_port="23")
| table src_ip, dest_ip, dest_port, _time
| join type=left src_ip
[ search index=oswinsec sourcetype=dhcp ip=192.168.*.*
| table ip, dest, date, time
| rename ip as src_ip]
.conf24 | Day 0
Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...
Troubleshooting the OpenTelemetry Collector
