![]() Inner searches are always surrounded by square brackets, and begin with the search keyword. To Combine these, we can use the following subsearch format. Index=security sourcetype=linux_secure connection_status=accepted | dedup ip_address | table ip_address, Country This will be our outer search, and look something like this: This essentially results in a list of IP addresses that are not from the U.S.įrom here, we want to create another search to return a list of all accepted connections. Index=security sourcetype=linux_secure | stats count by ip_address | iplocation ip_address | search Country !=“United States” | fields ip_address Our inner search would look something like this, using the iplocation command to give us more info on the IP address field. IPs? Using the latter as an inner search would probably work best, as it should return a much smaller set of results. A subsearch could then be used to stitch these results together and help us obtain a comprehensive list.įirst, we’d need to decide what our inner results should be, a list of all accepted connections, or a list of all non-U.S. We could build one search to give us a list of IP addresses from outside of the U.S., and another search could be used to give a list of all accepted connections. We’re interested in seeing a list of users who’ve successfully accessed our network from outside of the United States. Suppose we have a network that should only be accessed from those local to the United States. Because subsearches are computationally more expensive than most search types, it is ideal to have an inner search that produces a small set of results and use that to filter out a bigger outer search. ![]() When working with large result sets, it will likely be more efficient to create fields using the eval command and performing statistical results using the stats command. If your inner search produces a lot of results, then applying them as input to your outer search could be inefficient. Generally, you want to avoid using subsearches when working with large result sets. The inner search always runs first, and it’s important to note that subsearches return a maximum of 10,000 results and will only run up to 60 seconds by default.įirst, it’s good to understand when to use Subsearch and when NOT to use Subsearches. Subsearches contain an inner search, who’s results are then used as input to filter the results of an outer search. Simply put, a subsearch is a way to use the result of one search as the input to another. Hence mySource1 is used.Using and Understanding Basic Subsearches in SplunkĪ subsearch in Splunk is a unique way to stitch together results from your data. How do I manage to return the data and get the desired table of results?ĮDIT: Forgot to mention, I also need to show users who have a role (source1) but have never logged in (not found in source2). I tried running both searches seperately, and when I do, they return the data I need: index="myIndex" source="mySource2" | rex "User:(?\w ) The user is authenticated and logged in."īut this does not return any data. "The user is authenticated and logged in." I later tried the following: index="myIndex" source="mySource2" Also, I did not fetch the name from the second search. "User:myUserID The user is authenticated and logged in."īut I found out that I the second search, returns data to the first search. The purpose of the table is to show the user id's (found in mySource1) and show the latest login event (found in mySource2) so that you can tell when each user last logged in. Where USER is column 1 and LATEST column 2. Walt, 13:49:57,654 User:walt The user is authenticated and logged in Skylar, 13:49:57,654 User:skylar The user is authenticated and logged in. Hank, 13:49:57,654 User:hank The user is authenticated and logged in. In Splunk I need a dashboard, with a statisticstable, looking like this: USER, LATEST 13:49:57,654 User:hank The user is authenticated and logged in. 13:49:57,654 User:walt The user is authenticated and logged in. ![]() 13:49:57,654 User:skylar The user is authenticated and logged in. MySource2 example 13:49:57,654 User:hank The user is authenticated and logged in. 17:00:01 - Naam van gebruiker: walt - Rol van gebruiker: administrator 17:00:01 - Naam van gebruiker: skylar - Rol van gebruiker: administrator 17:00:01 - Naam van gebruiker: walt - Rol van gebruiker: operator 17:00:01 - Naam van gebruiker: skylar - Rol van gebruiker: operator MySource1 example 17:00:01 - Naam van gebruiker: hank - Rol van gebruiker: operator
0 Comments
Leave a Reply. |