Running Federated Search from Splunk
Query's Splunk App displays real–time and historical data in your Splunk console by directly querying from the data sources' APIs when you run your federated search.
Getting Started with Search
For example, run a federated search to fetch events, associated devices, and user information for an IP you are investigating. This will run parallel queries into the platforms connected via Query and bring back results in real-time using the platforms' APIs.
| queryai search="ip = 172.16.16.10"
Note that you have to start with a pipe '|' in front of the app's queryai command, i.e. | queryai
Command Syntax and Additional Examples
Command Syntax
| queryai search=”field = value” platforms="platformA, platformB, platformC" timeout=60
Parameter Description
searchmandatory parameter that has the federated search condition payload.platformsoptional parameter that lets you pass the platform alias names you want to query from. Without this parameter, all platforms will be queried. You can review/configure alias names from the 'Connections' page in Query's Console at https://go.query.ai/.`timeoutoptional numeric parameter specified in seconds. It let's you pass the maximum time you are willing to wait for results. Note that setting this timeout may lead to incomplete results as only the results obtained within that timeframe will be displayed.
Additional Examples
| queryai search="ip = 172.16.16.10"
| queryai search="email = [email protected]" timeout=60
| queryai search="ip = 172.16.16.10" platforms="S3, elastic, sentinel"
Search Conditions
Here are some common federated search operators you can use:
Equality
Examples:
| queryai search=”dvc_ip = 1.1.1.1”
| queryai search=”dvc = My-MacBookPro”
Starts with
Examples:
Note the trailing '*':
| queryai search=”dvc = mac*”
| queryai search=”user_name = mahesh*”
Ends with
Examples:
Note the '*' at the beginning of the value:
| queryai search=”dvc = *mac”
| queryai search=”user_name = *anand”
Contains
Examples:
| queryai search=”dvc = *mac*”
| queryai search=”user_name = *ana*”
Field Extraction
In the search results, you will see the top-level OCSF schema objects, events, and attributes. For more details on OCSF, please see Normalization and the OCSF Data Model
The _raw field contains the native platform data mapped from OCSF's raw_data. For any content-specific use-cases, you can extract further fields from that native data by adding the spath pipe operation as ... | spath input=_raw
Common Search Fields
Please use the below listed Splunk CIM fields in the search condition.
NOTE: Corresponding OCSF schema fields from Query's OCSF data model are listed for reference.
| Splunk CIM Field (used in federated searches) | Corresponding OCSF schema field in Query's UI |
|---|---|
| dvc | Hostname |
| dvc_ip | IPAddress |
| ip | IPAddress |
| user_name | Username |
| file_name | Filename |
| file_hash | File Hash |
| url | URL |
| Email Address |
Updated about 2 months ago