Index=security sourcetype=linux_secure connection_status=accepted Here’s what our final search would look like: Inner searches are always surrounded by square brackets, and begin with the search keyword. To Combine these, we can use the following subsearch format. Index=security sourcetype=linux_secure connection_status=accepted | dedup ip_address | table ip_address, Country This will be our outer search, and look something like this: This essentially results in a list of IP addresses that are not from the U.S.įrom here, we want to create another search to return a list of all accepted connections. Index=security sourcetype=linux_secure | stats count by ip_address | iplocation ip_address | search Country !=“United States” | fields ip_address Our inner search would look something like this, using the iplocation command to give us more info on the IP address field. IPs? Using the latter as an inner search would probably work best, as it should return a much smaller set of results. A subsearch could then be used to stitch these results together and help us obtain a comprehensive list.įirst, we’d need to decide what our inner results should be, a list of all accepted connections, or a list of all non-U.S. We could build one search to give us a list of IP addresses from outside of the U.S., and another search could be used to give a list of all accepted connections. We’re interested in seeing a list of users who’ve successfully accessed our network from outside of the United States. Suppose we have a network that should only be accessed from those local to the United States. Because subsearches are computationally more expensive than most search types, it is ideal to have an inner search that produces a small set of results and use that to filter out a bigger outer search. When working with large result sets, it will likely be more efficient to create fields using the eval command and performing statistical results using the stats command.
If your inner search produces a lot of results, then applying them as input to your outer search could be inefficient. Generally, you want to avoid using subsearches when working with large result sets. The inner search always runs first, and it’s important to note that subsearches return a maximum of 10,000 results and will only run up to 60 seconds by default.įirst, it’s good to understand when to use Subsearch and when NOT to use Subsearches. Subsearches contain an inner search, who’s results are then used as input to filter the results of an outer search. Simply put, a subsearch is a way to use the result of one search as the input to another.
A subsearch in Splunk is a unique way to stitch together results from your data.
0 kommentar(er)
