- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- How can I join searches so that one search acts on...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How can I join searches so that one search acts on results of the first search?
Hi, hope someone could help. Please note I'm no Splunk master.
So I'm trying to join 2 searches from 2 different indexes whereby the 2nd part will work based on the 1st parts data. In a nutshell I have tipping point data that runs into a table but I then want Splunk to check if anyone accessed the source or destination IP from our Forcepoint logs. Below is a snippit of my search. The first part already works fine
index="trend_tpoint" signature!="2xxxx” signature!="7xxxx"
|dedup src_ip
|table signature,src_ip,dest_ip,action,severity
|join dest_ip [search index=fpoint_web |table dest_ip,user,action]
|table src_ip,dest_ip,action,user
Again, I want the Forcepoint section to only check for activity based on results in the first part of the search.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this:
(index="trend_tpoint" signature!="2xxxx” signature!="7xxxx") OR (index=fpoint_web)
| fields index signature src_ip dest_ip action severity user
| stats values(*) AS * dc(index) as indexCount values(index) AS indices BY dest_ip
| where indices=fpoint_web
You might swap the last line with this:
| where indexCount==2
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
See append command
http://docs.splunk.com/Documentation/Splunk/7.2.1/SearchReference/Append
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Run this first by itself...
index="trend_tpoint" signature!="2xxxx” signature!="7xxxx"
| head 5
| table _time, signature, src_ip, dest_ip, action, severity
Take an IP from that and put it in this search ...
index=fpoint_web dest_ip="1.2.3.4" | head 1 | table _time, dest_ip, user, action
If there's no record, try the other ips.
If there is a record, then try this...
index="trend_tpoint" signature!="2xxxx” signature!="7xxxx" dest_ip="1.2.3.4"
| dedup src_ip
| table _time, signature, src_ip, dest_ip, action, severity
| join type=left dest_ip
[search index=fpoint_web dest_ip="1.2.3.4" | dedup dest_ip | eval ftime=strftime(_time,"%Y-%m-%d %H:%M:%S") | table ftime, dest_ip, user, action]
If that works, then remove the dest_ip limits.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
(converted answer into comment...)
- What is the current outcome of your statement?
- you say "anyone accessed the source or destination ip" - this part is only about the destination ip?
- you have "action" in both searches; could this be a problem?
- what happens if you drop the last "table"-statement?
- are there same "dest_ip" values in both indexes?
And just to keep things "splunky": your data runs into an index - not a table 😉
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
should work, what happens? does the second search alone give some results?
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
