Re: Get fields from two searches with two common f...

srteclesmayer · ‎04-10-2019

Hi,

I'm getting a trouble with this situation. I have two searches:

From the first one i get host and auid:

index=unix | fields host type auid hostname
| eval mainhost=host
| search type="ANOM_LOGIN_FAILURES" OR type="USER_LOGIN" OR type="LOGIN"
| stats count as Attemps, count(eval(type="ANOM_LOGIN_FAILURES")) as Failed, count(eval(type="USER_LOGIN" OR type="LOGIN")) as Success by auid mainhost
| where Failed>0 AND Success>0

And i want to use these two fields on subsearch to get the username linked to that auid:

| appendcols maxtime=3600
[ search index="os" host=$mainhost$ sourcetype="Unix:UserAccounts" user_id=$auid$
| table user
| dedup user]
| table auid,mainhost,Attemps,Failed,Success,user

but it doesn't work. I'm not getting any information on user field but if i change the $mainhost$ and $auid$ with the value returned by the main search, it works propertly. How can i use main fields on subsearch to filter its results?

Thank you for your time.

knielsen · ‎04-10-2019

Not sure about the host field, but in theory... well, try:

(index=unix type="ANOM_LOGIN_FAILURES" OR type="USER_LOGIN" OR type="LOGIN") OR (index="os" sourcetype="Unix:UserAccounts") | eval id=coalesce(auid, user_id) | stats count as Attemps, count(eval(type="ANOM_LOGIN_FAILURES")) as Failed, count(eval(type="USER_LOGIN" OR type="LOGIN")) as Success values(user) as user by host, id | where Failed>0 AND Success>0

And don't start using join! 😉

harishalipaka · ‎04-10-2019

hi @srteclesmayer

Instead of appendcols try with |join id

Thanks
Harish

Get fields from two searches with two common fields

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...