Hi, hope someone could help. Please note I'm no Splunk master.
So I'm trying to join 2 searches from 2 different indexes whereby the 2nd part will work based on the 1st parts data. In a nutshell I have tipping point data that runs into a table but I then want Splunk to check if anyone accessed the source or destination IP from our Forcepoint logs. Below is a snippit of my search. The first part already works fine
index="trend_tpoint" signature!="2xxxx” signature!="7xxxx"
|dedup src_ip
|table signature,src_ip,dest_ip,action,severity
|join dest_ip [search index=fpoint_web |table dest_ip,user,action]
|table src_ip,dest_ip,action,user
Again, I want the Forcepoint section to only check for activity based on results in the first part of the search.
... View more