I'm looking to enrich a search of firewall IP data with DNS host data from proxy logs. To be clear, I don't want to do a DNS reverse lookup, I want to use information that is already in my proxy logs.
So basically, I'm looking to enrich the output of Search 1 (firewalls_traffic) by adding a field with a value based on the results of Search 2 (proxy_logs.)
Search 1:
sourcetype=firewall_traffic (some criteria * ) | stats sum(bytes_sent), count(repeat_count) by src_ip,application,dst_ip | ?? Add new field with values from Search 2 ?? | sort 10 -bytes_sent
Search 2:
sourcetype=proxy_logs ?? dst_ip value from Search 1 ?? | fields dns_name | head 1
Thanks,
Al
So you can use a splunk subsearch, but it's not very intuitive and the docs are relatively worthless, with only the simplest examples. Essentially, you sort of have to do it backwards. In other words, you need your proxy search first and your firewall search second. Kind of like this:
sourcetype=proxy_logs dst_ip = [sourcetype=firewall_traffic (some criteria * ) | stats sum(bytes_sent), count(repeat_count) by src_ip,application,dst_ip | sort 10 -bytes_sent | fields src_ip]| fields dns_name | head 1
I can't really test this, but hopefully you get the idea.
Hope that helps!
Did you get a chance to look at subsearch http://docs.splunk.com/Documentation/Splunk/6.2.1/Search/Usesubsearchtocorrelateevents
Thanks for the link, and from the description you would think it should help, but it doesn't.
I have used subsearches but only in another context, namely to supply search criteria to an 'outer' search with results from an 'inner' search.
I'm not looking to do that here... I'm looking to add an additional field and values to Search 1 based on data in Search 2.
Actually I need to investigate your feedback a bit more... thanks for the tip.