Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Replacing an IP with a set of usernames in a complex search

timbCFCA
Path Finder
‎09-26-2012 09:20 AM

I'm putting together a search which needs to cross correlate two data sources as well as run a nested search in order to get results I want (username, client IP, top 5 visited sites).

The search for my destination hosts is working well but I'm not sure how to add the second search based on the criteria that the c_ip column matches the sourceNetworkAddress. 

search [search source="windows_snare_foreweb" cs_network="Internal" action="Allowed" | regex UrlDestHost != "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}" | top c_ip limit=25 | table c_ip  ] | regex UrlDestHost != "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}" | top UrlDestHost by c_ip limit=5 | stats list(UrlDestHost) list(count) by c_ip | sort list(count) desc

evtid=4624 |  stats values(evtuser) by sourceNetworkAddress

I'm thinking I need an append and field alias but I'm not quite sure how to implement it.

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

timbCFCA
Path Finder
‎09-27-2012 06:16 AM

Found a solution. Not sure if it is optimal but it works. 

search [search cs_network="Internal" action="Allowed"  | top c_ip limit=25 | table c_ip  ]  |  top UrlDestHost by c_ip limit=5 |  stats  list(UrlDestHost) list(count) by c_ip | sort list(count) desc | join type=left c_ip [search evtid=4624 |  stats values(evtuser) as evtusers by sourceNetworkAddress | rename sourceNetworkAddress as c_ip  ] | table c_ip, evtusers, list(UrlDestHost), list(count)

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

timbCFCA
Path Finder
‎09-27-2012 06:16 AM

Found a solution. Not sure if it is optimal but it works. 

search [search cs_network="Internal" action="Allowed"  | top c_ip limit=25 | table c_ip  ]  |  top UrlDestHost by c_ip limit=5 |  stats  list(UrlDestHost) list(count) by c_ip | sort list(count) desc | join type=left c_ip [search evtid=4624 |  stats values(evtuser) as evtusers by sourceNetworkAddress | rename sourceNetworkAddress as c_ip  ] | table c_ip, evtusers, list(UrlDestHost), list(count)
0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...