Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

coorelated event

rashid47010
Communicator
‎10-19-2016 10:27 PM

any body advise me why the below query is not showing the the IP's whereas I am sure that there are some IP's who are bluecoat logs but not in websense logs:

index=websense sourcetype=websense src NOT [search index=bcoat sourcetype="bluecoat:proxysg:access:file" | fields src ]

Tags (1)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-20-2016 01:15 AM

To troubleshot your search start to try your single searches separately and see if there are values in both of them and values that aren't in both of them.

  • index=websense sourcetype=websense src
  • index=bcoat sourcetype="bluecoat:proxysg:access:file" | fields src

In addition, verify that the field src is present in both the searches?

The string "src" that you put before "NOT" means that in the first search you want to search also the word "src" or other?

Bye.
Giuseppe

0 Karma
Reply

rashid47010
Communicator
‎10-20-2016 01:33 AM

the src field is common for both devices. and I check the logs individually. I have one use case that for sure he is bypassing websense control(means there are no logs on websense for that src IP)

but still now showing any result:
my query is :

index=websense sourcetype=websense NOT [search index=bcoat sourcetype="bluecoat:proxysg:access:file" | fields src ]

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-20-2016 01:43 AM

does your search run without "NOT"? what result you have?
Bye.
Giuseppe

0 Karma
Reply

gokadroid
Motivator
‎10-19-2016 10:52 PM

Isn't that your query is doing exactly opposite:

Search IPs in websense log which are NOT in [ IPs in bluecoat logs]

Shouldn't you be doing below if you want *some IP's who are bluecoat logs but not in websense logs:
*:

Search IPs in bluecoat logs NOT in [ IPs in websense logs ]
0 Karma
Reply

rashid47010
Communicator
‎10-20-2016 01:35 AM

I am trying now with this query.
shortly I will update you with the results.

index=bcoat sourcetype="bluecoat:proxysg:access:file" NOT [search index=websense | fields src ]

0 Karma
Reply
Related Topics
Coorelate two events
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...