Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Subsearch Question
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
lehrfeld
Path Finder
05-05-2014
08:47 AM
I am trying to create a report that includes failed log on attempts from our windows security logs with the originating host name from the network_dhcp log files. I can pull the failed log ons using this search:
index=os_windows source="WinEventLog:Security" EventCode=4771 NOT user="*$" Failure_Code="0x18" | rex mode=sed field=src_ip "s/::ffff://" | stats count(user) as Attempts dc(src_ip) as IPs values(src_ip) as "IP Addresses" by user | where Attempts > 2 | table user Attempts IPs "IP Addresses" | sort -Attempts
This returns:
user Attempts IPs IP Address
xxx 5 2 192.168.1.10
192.168.1.11
yyy 4 3 192.168.1.20
192.168.1.21
192.168.1.31
I would like to then lookup by IP Address in the dhcp logs to get the hostname of the offending workstation. This search works for this purpose:
index=network_dhcp dest_ip="192.168.1.102" | table nt_host dest_ip
Ideally the finished search would look like this...
user Attempts IPs IP Address nt_host
xxx 5 2 192.168.1.10 wkstation01
192.168.1.11 wkstation02
yyy 4 3 192.168.1.20 wkstation03
192.168.1.21 wkstation04
192.168.1.31 wkstation05
I have this subsearch but it does not return any results.
index=network_dhcp [search index=os_windows source="WinEventLog:Security" EventCode=4771 NOT user="*$" Failure_Code="0x18" | rex mode=sed field=src_ip "s/::ffff://" | fields + src_ip] | table nt_host dest_ip
Thanks for any help!
Mike
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
05-05-2014
10:34 AM
Try this
index=os_windows source="WinEventLog:Security" EventCode=4771 NOT user="*$" Failure_Code="0x18" | rex mode=sed field=src_ip "s/::ffff://" | stats count(user) as Attempts dc(src_ip) as IPs by src_ip,user | where Attempts > 2 | table user Attempts IPs src_ip | sort -Attempts | join src_ip [search index=network_dhcp | stats count by nt_host dest_ip | rename dest_ip as src_ip | table nt_host src_ip] | stats list(src_ip) as "IP Addresses" list(nt_host) as "Host Names" by user,Attempts,IPs
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
05-05-2014
10:34 AM
Try this
index=os_windows source="WinEventLog:Security" EventCode=4771 NOT user="*$" Failure_Code="0x18" | rex mode=sed field=src_ip "s/::ffff://" | stats count(user) as Attempts dc(src_ip) as IPs by src_ip,user | where Attempts > 2 | table user Attempts IPs src_ip | sort -Attempts | join src_ip [search index=network_dhcp | stats count by nt_host dest_ip | rename dest_ip as src_ip | table nt_host src_ip] | stats list(src_ip) as "IP Addresses" list(nt_host) as "Host Names" by user,Attempts,IPs
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
richgalloway
SplunkTrust
05-05-2014
09:45 AM
Perhaps something like this will do the job:
search index=os_windows source="WinEventLog:Security" EventCode=4771 NOT user="*$" Failure_Code="0x18" | rex mode=sed field=src_ip "s/::ffff://" | rename src_ip as dest_ip | join dest_ip [search index=network_dhcp] | stats count(user) as Attempts dc(src_ip) as IPs values(dest_ip) as "IP Addresses" by user | where Attempts > 2 | table user Attempts IPs "IP Addresses" nt_host | sort -Attempts
---
If this reply helps you, Karma would be appreciated.
If this reply helps you, Karma would be appreciated.
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Get Updates on the Splunk Community!
Tech Talk Recap | Mastering Threat Hunting
Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...
Observability for AI Applications: Troubleshooting Latency
If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...
Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?
In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...
