Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Sub search works well in one case but yields no result when sourcetypes are interchanges using join command.

shivi_tcs
Engager
‎04-06-2017 12:52 AM

I am trying to join two different sourcetypes on IP address to detect traffic to malicious IP's .
The two sources are -Firewall Logs and Threat Intelligence logs (Malicious IP list).

The query runs fine when I make firewall logs as a sub search and the threat logs as the main search using join command.(i.e. Query A).Using this I am able to get the list for malicious IP's in firewall logs.

But vice versa does not gives any result (i.e. Query B)

(A)-Query Running successfully-
sourcetype="threat_logs" | fields ip_address country | join ip_address type=inner [ search sourcetype="firewalllogs"| fields ip_address Action] | table ip_address Action country | dedup ip_address

(B)Query with No results-
sourcetype="firewalllogs" | fields ip_address Action | join ip_address type=inner [ search sourcetype="threat_logs"| fields ip_address country ] | table ip_address Action country | dedup ip_address

0 Karma
Reply

hhGA
Communicator
‎04-06-2017 06:06 AM

I don't know if this is a typo in your actual search or only what you've written in your question but in query B you are missing an 'e' from 'firewalllogs'.

0 Karma
Reply

shivi_tcs
Engager
‎04-06-2017 06:16 AM

hi,
yes,it is a typo.
and those are not actual source types but just a means of representation for sourcetypes.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...