![]() ![]() We're looking for failures and we want to see the unknown users. ![]() In this example, let's go ahead and jump on over into running this search, taking a look at our security index, sourcetype of linux_secure. We're going to use that knownusers.csv file within an inputlookup command in a subsearch, to access that lookup data and pass values to the outer search. We loaded in that knownusers.csv file earlier. The results of the subsearch will have an OR boolean placed between them and we will see that search expand into AND-ing the results of that subsearch with those field-value pairs separated by OR boolean operators. In this example here, we can see we have our basic search followed by a subsearch in square brackets, followed by a set of additional commands. Subsearches are always executed first before passing the results to the outer search. Subsearches are enclosed in square brackets, and must start with generating commands like the search command or tstats. They can be used to narrow down the set of events you are searching on or used with commands to combine the results of one search with the results of another. The result is a table with the fields totalUsers, variableA, and variableB.A subsearch is a search that passes its results to an outer search as search terms. The eval command is used to define a "variableB".The where command is used to constrain the subsearch within time range of those fields. The addinfo command adds the info_min_time and info_max_time fields to the search results. Then, this search uses appendcols to search the server and count how many times a certain field occurs on that specific server.First, this search uses stats to count the number of individual users on a specific server and names that variable "totalUsers".rver | stats dc(userID) as totalUsers | appendcols | eval variableB = exact(variableA/totalUsers) This search uses appendcols to count the number of times a certain field occurs on a specific server and uses that value to calculate other fields. This is a valid search string because appendcols comes after the transforming command table and adds columns to an existing table of results. Index=_internal | table host | appendcols Search for "404" events and append the fields in each event to the previous search results. Note that the subsearch argument to the appendcols command doesn't have to contain a transforming command. The appendcols command can't be used before a transforming command because it must append to an existing set of table-formatted results, such as those generated by a transforming command. The appendcols command must be placed in a search string after a transforming command such as stats, chart, or timechart. Default: 50000 timeout Syntax: timeout= Description: The maximum time, in units of seconds, to wait for subsearch to fully finish. Default: 60 maxout Syntax: maxout= Description: The maximum number of result rows to output from the subsearch. Subsearch options maxtime Syntax: maxtime= Description: The maximum time, in units of seconds, to spend on the subsearch before automatically finalizing. Default: override=false subsearch-options Syntax: maxtime= | maxout= | timeout= Description: These options control how the subsearch is executed. If override=true, the subsearch result value is used. Optional arguments override Syntax: override= Description: If the override argument is false, and if a field is present in both a subsearch result and the main result, the main result is used. See how subsearches work in the Search Manual. Required arguments subsearch Description: A secondary search added to the main search. For example, the first subsearch result is merged with the first main result, the second subsearch result is merged with the second main result, and so on. All fields of the subsearch are combined into the current results, with the exception of internal fields. Appends the fields of the subsearch results with the input search results. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |