Splunk Search

Using search result(s) in a second, separate search


Hi All,

I am looking to create a dashboard to support ongoing investigations. This dashboard will have many panels for logs such as windows event logs, web proxy logs, email gateway logs, endpoint protection logs, etc.

As per the below image, I would like to run an "AD_User_Search" which will return field values for "User_ID" and "Email_Address".

I would like the "WinEventLog_Search" and the "WebProxy_Search" to read the "User_ID" value returned from the "AD_User_Search" and then return relevant data from the windows event logs/web proxy logs. Likewise, the "EmailTraffic_Search" to read the "Email_Address" value returned from the "AD_User_Search" and return relevant data from the email gateway logs.

alt text

Can anyone advise the best way to go about this?

Tags (2)
0 Karma



There are several options here :

1)Use token drilldowns. Now your main panel is AD_user_search, that is perhaps just a list of user,email addr,user id. You can add some other stuff to the panel if some other 1-1 user information is present.
2) I would implement a row drill down to 3 other panels event log search, proxy search and email traffic search. I would pass a token value (on row selection) on these 3 child panels which will be populated by clicking on one row of the main 'ad_user_searc'h panel to fetch the user id (for log search, proxy search) and email addr (for email traffic search) respectively.
3) Default value set to ALL for all 3 child panels.
4) token drill down behavior - as soon as a row in the main panel is clicked, the values for user id and email addr is passed to the 3 child panels which will then show the requisite data on the same. The main thing is to pass the selected row token values to the respective panels. http://docs.splunk.com/Documentation/Splunk/7.0.2/Viz/DrilldownIntro

0 Karma


Hi MikeElliott,

You can depend other three panels of dashboard on the "AD_User_Search" panel.


Create drop-down of user_id and email_address from "AD_User_Search".

0 Karma


Hi anjambha,

In your second suggestion, how would we populate the drop downs with the results from the "AD_User_Search"?

An example search string for the "AD_User_Search" would be index=active_directory username=XXX | table username user_id email_address

0 Karma


So, in this case for proper output you can create three drop-down input ..
1)index=active_directory | dedup username | table username
2) index=active_directory username=$username$ | table user_id
3)index=active_directory |username=$username$ | table email_address

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...