https://community.splunk.com/t5/Splunk-Enterprise-Security/Can-you-help-me-create-a-search-that-would-match-fields-for-two/m-p/453358#M6362 <P>Hi team!</P> <P>I need help with a search. </P> <P>I have 2 indexes and I want to match both for an IP field. If they match, I want stats for the first one.</P> <P>This is my search right now.</P> <PRE><CODE>(index=AAA Ip=*) OR (index=BBB src_ip=* (threat_name="SCAN: Host Sweep(8002)" OR threat_name="SCAN: TCP Port Scan(8001)" OR threat_name="TCP Flood(8501)" OR threat_name="UDP Flood(8502)" OR threat_name="TCP SYN with data(8723)") (src_zone!="Inet-WAN1" AND src_zone!="Inet-WAN2") (dest_zone!="Inet-WAN1" AND dest_zone!="Inet-WAN2") src_ip != 191.100.200.27 AND src_ip != 191.100.200.71 AND src_ip != 191.100.200.56) | eval match_ip=coalesce(Ip,src_ip) | stats values(*) AS * by match_ip | search src_ip=* Ip=* | stats count, values(src_zone) as Source_zone,values(dest_zone) as Destination_zone, values(threat_name) as "Threat name", values(vendor_action) as Action, values(severity) as Severity by user,src_ip, generated_time, dest_ip |table generated_time,"Threat name", Action,Severity src_ip, dest_ip,user, Source_zone, Destination_zone | rename src_ip as Source_IP, dest_ip as Destination_IP, user as User, generated_time as Date </CODE></PRE> <P>Right now it finds the match IP. But the problem is it didn't show the fields well. I should have 55 events and I have 2000. Every IP has multiple times, dest zones etc. Obviously, this is not true.</P> <P>Thank you!</P> Mon, 10 Sep 2018 15:13:53 GMT christianubeda 2018-09-10T15:13:53Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Can-you-help-me-create-a-search-that-would-match-fields-for-two/m-p/453358#M6362 <P>Hi team!</P> <P>I need help with a search. </P> <P>I have 2 indexes and I want to match both for an IP field. If they match, I want stats for the first one.</P> <P>This is my search right now.</P> <PRE><CODE>(index=AAA Ip=*) OR (index=BBB src_ip=* (threat_name="SCAN: Host Sweep(8002)" OR threat_name="SCAN: TCP Port Scan(8001)" OR threat_name="TCP Flood(8501)" OR threat_name="UDP Flood(8502)" OR threat_name="TCP SYN with data(8723)") (src_zone!="Inet-WAN1" AND src_zone!="Inet-WAN2") (dest_zone!="Inet-WAN1" AND dest_zone!="Inet-WAN2") src_ip != 191.100.200.27 AND src_ip != 191.100.200.71 AND src_ip != 191.100.200.56) | eval match_ip=coalesce(Ip,src_ip) | stats values(*) AS * by match_ip | search src_ip=* Ip=* | stats count, values(src_zone) as Source_zone,values(dest_zone) as Destination_zone, values(threat_name) as "Threat name", values(vendor_action) as Action, values(severity) as Severity by user,src_ip, generated_time, dest_ip |table generated_time,"Threat name", Action,Severity src_ip, dest_ip,user, Source_zone, Destination_zone | rename src_ip as Source_IP, dest_ip as Destination_IP, user as User, generated_time as Date </CODE></PRE> <P>Right now it finds the match IP. But the problem is it didn't show the fields well. I should have 55 events and I have 2000. Every IP has multiple times, dest zones etc. Obviously, this is not true.</P> <P>Thank you!</P> Mon, 10 Sep 2018 15:13:53 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Can-you-help-me-create-a-search-that-would-match-fields-for-two/m-p/453358#M6362 christianubeda 2018-09-10T15:13:53Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Can-you-help-me-create-a-search-that-would-match-fields-for-two/m-p/453359#M6363 <P>Maybe using a subsearch? It has limits but for small amounts of data or time ranges it is fine.</P> <PRE><CODE>index=AAA [search index=BBB ... | stats count by src_ip | table src_ip | format] | ...etc </CODE></PRE> <P><A href="https://docs.splunk.com/Documentation/Splunk/7.1.2/Search/Aboutsubsearches">https://docs.splunk.com/Documentation/Splunk/7.1.2/Search/Aboutsubsearches</A></P> Thu, 13 Sep 2018 13:08:26 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Can-you-help-me-create-a-search-that-would-match-fields-for-two/m-p/453359#M6363 osakachan 2018-09-13T13:08:26Z