Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Subsearch or ‘let stats sort it out’?

RocIngersol
Explorer
‎01-24-2020 03:15 AM

Hey folks. Help!

I have two indexes.

  • Index 1 - Contains an authoritative list of AWSconfig accounts it.
  • index 2 - Contains cloudtrail data - logins by account

I want to list accounts that haven’t been logged into using my AWSconfig account list (index 1) as Index 2 (cloudtrail) only has logs of what has been logged into at some point...

I was going to use a subsearch to get a list of unique accounts from index 1 and then pass that into a search against cloudtrail (index 2) - but was wondering if I could use stats instead (cause y’know subsearches have limitations...)

Thoughts?

Thanks!

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

nickhills
Ultra Champion
‎01-24-2020 04:41 AM

Personally, I might use a lookup for this task.

I would create a scheduled search to build a list of authorisedAWSAccounts.csv from index1 and run that hourly/daily/weekly depending on your needs.

Then you can use that lookup in your search against data in index2 to add an 'isAuthorised" field.

Scheduled Lookup Builder
index=index1 yourSearchFilter|eval isAuthorised=true|table userName arn isAuthorised|outputlookup authorisedAWSAccounts.csv

Search index2
index=index2 yourSearchFilter|lookup authorisedAWSAccounts.csv [userName|arn] OUTPUT isAuthorised|search isAuthorised!=true

If my comment helps, please give it a thumbs up!

View solution in original post

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎01-24-2020 06:32 AM

What are the event counts in both indexes (based on the search time range you'll be using)?

0 Karma
Reply
Solved! Jump to solution
Solution

nickhills
Ultra Champion
‎01-24-2020 04:41 AM

Personally, I might use a lookup for this task.

I would create a scheduled search to build a list of authorisedAWSAccounts.csv from index1 and run that hourly/daily/weekly depending on your needs.

Then you can use that lookup in your search against data in index2 to add an 'isAuthorised" field.

Scheduled Lookup Builder
index=index1 yourSearchFilter|eval isAuthorised=true|table userName arn isAuthorised|outputlookup authorisedAWSAccounts.csv

Search index2
index=index2 yourSearchFilter|lookup authorisedAWSAccounts.csv [userName|arn] OUTPUT isAuthorised|search isAuthorised!=true

If my comment helps, please give it a thumbs up!
0 Karma
Reply
Solved! Jump to solution

RocIngersol
Explorer
‎01-24-2020 09:31 AM

I’m not looking for isAuthed per se more ‘from the a deduped list of master accounts in index1, have they been found logging in determined by the Cloudtrail logs in index2.

Lookup could work but.. will try and report back. Thx!

0 Karma
Reply
Solved! Jump to solution

nickhills
Ultra Champion
‎01-24-2020 09:34 AM

Ah I see, its more like "from this list of users, who has logged in?"
In that case the lookup is still a viable solution - but maybe you can use a field name like 'reviewLogin' instead of 'isAuthorised'

If my comment helps, please give it a thumbs up!
0 Karma
Reply
Solved! Jump to solution

RocIngersol
Explorer
‎01-24-2020 11:11 AM

Yeah. Sounds good!

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...

Data Persistence in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. What happens if the OpenTelemetry collector ...

Thanks for the Memories! Splunk University, .conf25, and our Community

Thank you to everyone in the Splunk Community who joined us for .conf25, which kicked off with our iconic ...