Solved: How would I join fields from Splunk DB Connect to ...

zhatsispgx · ‎09-29-2016

Hello,

I am using Splunk DB Connect -> DB Input to import data from a MySQL Table successfully. Rather than create additional automatic lookups/DB Lookups which will be extremely slow against this massive database, how would I join fields that are already indexed from the DB Input to avoid additional DB Lookups?

DB Input data I would like to join on:

source="nessusdb" field: host_ip with source="suricata" field src_ip.

I would like to take the following fields from source="nessusdb" and add them to a search on source="suricata".

something like:

source="suricata" msg="ET *" | table suricata_event, src_ip, nessus_vulnerability

Sorry in advance I am not very good at SPL yet.

Thanks!

mrgibbon · ‎09-29-2016

Try using:
index=nessusdb OR source=suricata
then using the coalesce command:
|eval src_ip = coalesce(src_ip,host_ip)
Then put in your table command with src_ip and the other fields.

View solution in original post

mrgibbon · ‎09-29-2016

Try using:
index=nessusdb OR source=suricata
then using the coalesce command:
|eval src_ip = coalesce(src_ip,host_ip)
Then put in your table command with src_ip and the other fields.

How would I join fields from Splunk DB Connect to DB Input to avoid additional DB lookups?

Detecting Remote Code Executions With the Splunk Threat Research Team

Observability | Use Synthetic Monitoring for Website Metadata Verification

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk