Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to search on another index based on the first search condition?

TrAnS
Loves-to-Learn
‎09-29-2020 02:34 PM

Hi, i am trying to do a search which can shows which internal client accessed the web but i have a proxy to access the web on behalf.

So i have a internal client X.X.X.X 

my proxy internal IP is IP.IP.IP.IP

my proxy external IP is EP.EP.EP.EP

 

so i have a search 

index=* 8.8.8.8

 

The above search will show that my proxy(EP.EP.EP.EP) access this IP. So from here i would like to based on this result i need to search index=proxy where my IP is IP.IP.IP.IP to see which internal client access this 8.8.8.8

 

Can anyone guide me on how should i write my splunk search?

Labels (1)
Labels
0 Karma
Reply

DavidHourani
Super Champion
‎09-29-2020 11:35 PM

Hi @TrAnS ,

There are multiple ways to do so, the first one would be using a subsearch

index=proxy [search index=other dest_ip=8.8.8.8 | table dest_ip]


This is not very efficient though, so it's best to run a combined search on both indices : 

(index=proxy OR index=other) dest_ip=8.8.8.8| stats values(index) dc(index) as indexCount by dest_ip | where indexCount>2


Let me know if the above helps.

Cheers,

David

Reply
Get Updates on the Splunk Community!

Archived Metrics Now Available for APAC and EMEA realms

We’re excited to announce the launch of Archived Metrics in Splunk Infrastructure Monitoring for our customers ...

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Dashboard Challenge and Watch the .conf24 Global Broadcast!

The Splunk Community Dashboard Challenge is still happening, and it's not too late to enter for the week of ...