Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to output of search results of one index as inputs to another search using a different index?

Thuan
Explorer
‎03-07-2014 12:05 PM

I search Netflow firewall denied traffic on port 53 using the netflow index. Based on the IPs found (source and DNS destination server), subsequently and using the DNS index I want to find out the domain name of the specific queries that were blocked. How can this be done by passing the source and destination IPs obtained in the 1st search to the 2nd search?

Labels (1)
Labels
Tags (1)
0 Karma
Reply

Thuan
Explorer
‎03-10-2014 12:50 PM

Your promptness is much appreciated.
I forgot to mention that subsearch has certain limitations, e.g., limits on search time or number of returned entries. In my case I don't want to be constrained by the limits imposed by the subsearch. In fact, the first search retrieves a number of suspicious events which trigger more extensive searches in different indexes to build a "context" for a potential security issue. What is a working scheme without using subsearch?

0 Karma
Reply

Ayn
Legend
‎03-07-2014 02:14 PM

This is pretty much exactly what subsearches are made for. The docs have excellent explanations on how to use them so I'll just link to those: http://docs.splunk.com/Documentation/Splunk/6.0/SearchTutorial/Useasubsearch

Reply

lguinn2
Legend
‎03-07-2014 02:12 PM

Try this, which uses a subsearch.

index=dns [ search index=netflow port=553 firewall denied | dedup src_ip dest_ip | table src_ip dest_ip ]

I probably don't have the search terms right, but I think you can figure it out from this starting point!

Reply

SUHANISH0910
New Member
‎09-03-2022 01:46 PM

Hi - In this example it was mentioned like filtering data from different indexes also, but when I tried that it is not working what is the syntax of using 2 indexes with same search pattern and get both indexes values at same time. Please advise.

 

@vamsinm 

Thanks

Venkatesh

Tags (1)
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎09-04-2022 08:58 AM

@SUHANISH0910 Please post your question as a new post, including your sample code and sample results to illustrate the problem/difficulty.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...