- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- How can I join searches so that one search acts on...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How can I join searches so that one search acts on results of the first search?
Hi, hope someone could help. Please note I'm no Splunk master.
So I'm trying to join 2 searches from 2 different indexes whereby the 2nd part will work based on the 1st parts data. In a nutshell I have tipping point data that runs into a table but I then want Splunk to check if anyone accessed the source or destination IP from our Forcepoint logs. Below is a snippit of my search. The first part already works fine
index="trend_tpoint" signature!="2xxxx” signature!="7xxxx"
|dedup src_ip
|table signature,src_ip,dest_ip,action,severity
|join dest_ip [search index=fpoint_web |table dest_ip,user,action]
|table src_ip,dest_ip,action,user
Again, I want the Forcepoint section to only check for activity based on results in the first part of the search.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this:
(index="trend_tpoint" signature!="2xxxx” signature!="7xxxx") OR (index=fpoint_web)
| fields index signature src_ip dest_ip action severity user
| stats values(*) AS * dc(index) as indexCount values(index) AS indices BY dest_ip
| where indices=fpoint_web
You might swap the last line with this:
| where indexCount==2
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
See append command
http://docs.splunk.com/Documentation/Splunk/7.2.1/SearchReference/Append
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Run this first by itself...
index="trend_tpoint" signature!="2xxxx” signature!="7xxxx"
| head 5
| table _time, signature, src_ip, dest_ip, action, severity
Take an IP from that and put it in this search ...
index=fpoint_web dest_ip="1.2.3.4" | head 1 | table _time, dest_ip, user, action
If there's no record, try the other ips.
If there is a record, then try this...
index="trend_tpoint" signature!="2xxxx” signature!="7xxxx" dest_ip="1.2.3.4"
| dedup src_ip
| table _time, signature, src_ip, dest_ip, action, severity
| join type=left dest_ip
[search index=fpoint_web dest_ip="1.2.3.4" | dedup dest_ip | eval ftime=strftime(_time,"%Y-%m-%d %H:%M:%S") | table ftime, dest_ip, user, action]
If that works, then remove the dest_ip limits.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
(converted answer into comment...)
- What is the current outcome of your statement?
- you say "anyone accessed the source or destination ip" - this part is only about the destination ip?
- you have "action" in both searches; could this be a problem?
- what happens if you drop the last "table"-statement?
- are there same "dest_ip" values in both indexes?
And just to keep things "splunky": your data runs into an index - not a table 😉
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
should work, what happens? does the second search alone give some results?
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
