Use search results for another search

Question

Hi,

I want to use the search results as an argument for another search (with different source), like this more or less...:

source=/var/log/remots/ns_traffic.log dst=[search sourcetype="snort" | fields dest_ip]

Is this possible? Which is the right way to do it?

Thanks in advance, Alex

Accepted Answer

0

source=/var/log/remots/ns_traffic.log [search sourcetype="snort" | fields dest_ip | rename dest_ip as dst]

You can also take a look on the search restriction created by the subsearch by executing this search:

sourcetype="snort" | fields dest_ip | rename dest_ip as dst | format

link

answered 08 Nov '10, 08:55

ziegfried ♦
7.2k●1●3●15
accept rate: 53%

Answer 2

0	i think i found it... source=/var/log/remots/ns_traffic.log \|fields dst [search sourcetype="snort" dest_ip] is that the right way to correlate the different results? Alex link answered 08 Nov '10, 10:05 afont 3●2 accept rate: 0%

Answer 3

0

Hi Ziegfried!

The search:

source=/var/log/remots/ns_traffic.log [search sourcetype="snort" | fields dest_ip | rename dest_ip as dst]

worked better than mine... ;) i think that the main thing was on the rename command, which tells splunk to match the different fields, isn't it?

thanks! Alex

link

answered 08 Nov '10, 10:09

afont
3●2
accept rate: 0%