Splunk Search

Perform a Lookup from results of another search

agodoy
Communicator

I want to use the clientip field of an access_combined log to get the reported username from a bigfix search.

The bigfix search I am using is:

search index=bigfix sourcetype="software_inventory" | makemv delim="," src_ip | mvexpand src_ip | table src_ip, host, user_name

How would I go about correlating clientip to src_ip and adding the user_name field without having to build a csv and setup an automatic lookup.

Thanks!

0 Karma
1 Solution

yannK
Splunk Employee
Splunk Employee

try a join.

mysearchonaccess_combined | table fieldA fieldB | join fieldB [ search mysearchonbigfix | table fieldB fieldC ]

Remark : the join will not go over 10 000 results for the sub search to try to limit your scope or regroup your results.

View solution in original post

0 Karma

yannK
Splunk Employee
Splunk Employee

try a join.

mysearchonaccess_combined | table fieldA fieldB | join fieldB [ search mysearchonbigfix | table fieldB fieldC ]

Remark : the join will not go over 10 000 results for the sub search to try to limit your scope or regroup your results.

0 Karma

agodoy
Communicator

Worked beautifully! Thanks!

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...