Splunk Search

Results from two different index

JoeSco27
Communicator

I have internal logs (index=loghistory) that have a field for unique users, I need to list the IP addresses from each unique user, but I only want to return the values that match the field for IP addresses that are in the IIS index. Doing the free form search is quick for my internal logs, but when done over the millions of events in IIS it takes too long. Is there a way to 1) quicken up a free form search in IIS and 2) return matching values for the IP Address over both the internal logs and IIS index? The matching values are based on the unique user ID, but that data is only in the loghistory index.

I have tried the join commands but it doesnt produce the proper results

index="loghistory" IPADDRESS="*" UniqueID="*" | rename IPADDRESS AS c_ip | join c_ip [search index=iis c_ip="*" host=WebHost01 OR host=WebHost02]

index=loghistory IPADDRESS="*" UniqueID="*") OR (index=iis c_ip="*" host=WebHost01 OR host=WebHost02) | rename IPADDRESS AS c_ip | stats count by c_ip, UniqueID   

These are two separate searches that I created, as shown I tried using a JOIN command and I also tried using the OR function. Both didn't return the results that I wanted. I want to search the loghistory index, returning a set number of IPADDRESS values that will then be used as input to the second search which will search the IIS index for those IP addresses.

Tags (2)
0 Karma

yannK
Splunk Employee
Splunk Employee

This looks like a sub search that wil add a list of c_ip conditions to the main search.

index="loghistory" IPADDRESS="*" UniqueID="*" [ search index=iis host=WebHost01 OR host=WebHost02 | stats count by c_ip | rename c_ip AS IPADDRESS | table IPADDRESS]

0 Karma

kristian_kolb
Ultra Champion

please provide a few sample lines from each sourcetype, and a table showing how you want the results presented.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...