Short story, alert results to populate proxy query of dependent time ranges.
Longer story-
So essentially lets say I have a string that shows in my repository of SEP:IDS logs.
I have a query that shows me a summary of IPs and then calculates a +- 5min field as such
search sourcetype=sep:ids earliest=1441065601 "NaStY AtTaCkEr StRiNg" | eval time=substr(begin_time,8,26) | eval epc=time | convert timeformat="%Y-%m-%d %H:%M:%S" mktime(epc) | eval early=(epc-300) | eval late=(epc+300) | fields + late | rename late as latest | fields + early | rename early as earliest | fields + L_IP
The time field is a substring from the raw data as the original carve out has some garbage at the front and I don't want that. After that the time string is converted to a time format, then to an epoch format to I can have some calculated fields on plus and minus 5 min. The L_IP field is another carved field for the IP of the victim or local machine generating the alert.
Running the query without the field push-ups and simply making a table works easy:
... eval epc=time | convert timeformat="%Y-%m-%d %H:%M:%S" mktime(epc) | eval early=(epc-300) | eval late=(epc+300) | table L_IP,time,early,late
But I want to take each alert and the +- range to query the proxy logs for those IPs in those time ranges to do some correlation with the IDS alerts and activity etc.
When I use this as a sub-query pushing up the field values I get nothing, I know some of these won't have proxy logs and that there is a limit to what a sub query can push back, but getting nothing is a problem as manually the data is there.
Is there a splunk Ninja out there who can point me in the proper direction?
↧