Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

My 2nd indexer in Join case is giving only the latest values where I require value Matching with Time and 1st index

hosniadnan
New Member
‎05-29-2019 04:14 AM

Hi

I created a join search for my environment where my 1st index is for my IPS and 2nd Index is for DHCP. DHCP index contains Hostname for my user machines.

I am joining IP addresses in both indexes and getting which Host is triggered in IPS.

My problem is after joining I am getting only the last value from my DHCP index.
That is supposed IP 1.1.1.1 was used by three hosts during the day; Host A, Host B, and Host C.

Host B is the host that was triggered in IPS at 12 PM, but Host C is the last host that used the IP at 4 PM.

Now when I check my join search at 5 PM it shows the threat in IPS was triggered at 12 PM with Hostname as Host C, which is wrong.
It needs to show Host B.

Is there any way I can fix this so that the correct host is showing for IPS threat in IPS index time?

Here is a sample of my search:

index=isp | join IP type=inner [search index=dhcp | fields _time,IP,HOSTNAME] | fillnull value=unkown | stats count by Threat,IP,Hostname
Tags (4)
0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...