Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Subsearch or ‘let stats sort it out’?

RocIngersol
Explorer
‎01-24-2020 03:15 AM

Hey folks. Help!

I have two indexes.

  • Index 1 - Contains an authoritative list of AWSconfig accounts it.
  • index 2 - Contains cloudtrail data - logins by account

I want to list accounts that haven’t been logged into using my AWSconfig account list (index 1) as Index 2 (cloudtrail) only has logs of what has been logged into at some point...

I was going to use a subsearch to get a list of unique accounts from index 1 and then pass that into a search against cloudtrail (index 2) - but was wondering if I could use stats instead (cause y’know subsearches have limitations...)

Thoughts?

Thanks!

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

nickhills
Ultra Champion
‎01-24-2020 04:41 AM

Personally, I might use a lookup for this task.

I would create a scheduled search to build a list of authorisedAWSAccounts.csv from index1 and run that hourly/daily/weekly depending on your needs.

Then you can use that lookup in your search against data in index2 to add an 'isAuthorised" field.

Scheduled Lookup Builder
index=index1 yourSearchFilter|eval isAuthorised=true|table userName arn isAuthorised|outputlookup authorisedAWSAccounts.csv

Search index2
index=index2 yourSearchFilter|lookup authorisedAWSAccounts.csv [userName|arn] OUTPUT isAuthorised|search isAuthorised!=true

If my comment helps, please give it a thumbs up!

View solution in original post

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎01-24-2020 06:32 AM

What are the event counts in both indexes (based on the search time range you'll be using)?

0 Karma
Reply
Solved! Jump to solution
Solution

nickhills
Ultra Champion
‎01-24-2020 04:41 AM

Personally, I might use a lookup for this task.

I would create a scheduled search to build a list of authorisedAWSAccounts.csv from index1 and run that hourly/daily/weekly depending on your needs.

Then you can use that lookup in your search against data in index2 to add an 'isAuthorised" field.

Scheduled Lookup Builder
index=index1 yourSearchFilter|eval isAuthorised=true|table userName arn isAuthorised|outputlookup authorisedAWSAccounts.csv

Search index2
index=index2 yourSearchFilter|lookup authorisedAWSAccounts.csv [userName|arn] OUTPUT isAuthorised|search isAuthorised!=true

If my comment helps, please give it a thumbs up!
0 Karma
Reply
Solved! Jump to solution

RocIngersol
Explorer
‎01-24-2020 09:31 AM

I’m not looking for isAuthed per se more ‘from the a deduped list of master accounts in index1, have they been found logging in determined by the Cloudtrail logs in index2.

Lookup could work but.. will try and report back. Thx!

0 Karma
Reply
Solved! Jump to solution

nickhills
Ultra Champion
‎01-24-2020 09:34 AM

Ah I see, its more like "from this list of users, who has logged in?"
In that case the lookup is still a viable solution - but maybe you can use a field name like 'reviewLogin' instead of 'isAuthorised'

If my comment helps, please give it a thumbs up!
0 Karma
Reply
Solved! Jump to solution

RocIngersol
Explorer
‎01-24-2020 11:11 AM

Yeah. Sounds good!

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...