Hi,
I'm new to Splunk and I want make a search that finds all events from multiple sourcetypes that have a matching field.
For example:
I have a sourcetypeA (theat_script_match) whose only fields is an IP address and I have sourcetypeB (opnsense) with source and dest. IP fields.
I want to be able to do like a wildcard of sourcetypeA (which is much much smaller only ~500 events) and return all events from sourcetypeB that also contain the matching IP's. I can get the results I want using a giant chain of OR statements ie 1.1.1.1.1 OR 1.1.1.1.0 OR ... However that is not a good long term solution.
Here's what I have so far:
sourcetype=opnsense [search sourcetype=Threat_script_match | return threat_src_IP=src_IP]
Any help would be awesome, thanks.
... View more