https://community.splunk.com/t5/Splunk-Search/Creating-a-correlation-search-between-two-different-indexes-DHCP/m-p/545010#M154335 <P>Thanks for the guidelines here- I played around with a very basic join command and this resulted in the following:</P><P>(index=fortfw) level=warning host="XXXXXXXX" category="Malicious Websites" | rename src as ip | join ip [search index="dhcp"] | stats count by hostname, ip</P><P>This seemed to do the trick and I now get my stats that include the hostname.....</P> Tue, 23 Mar 2021 21:36:51 GMT daryllj 2021-03-23T21:36:51Z https://community.splunk.com/t5/Splunk-Search/Creating-a-correlation-search-between-two-different-indexes-DHCP/m-p/544982#M154329 <P>Hi all- we want to get a bit more elegant with correlation searching between two different indexes.&nbsp; There seems to be a lot of different approaches, but ultimately this is what we are trying to do:</P><P>1) we have a set of events returned from a firewall index search</P><P>EXAMPLE:&nbsp;&nbsp;&nbsp;(index=XXXXXX) level=warning host="XXXXXXXX" category="Malicious Websites" | stats count by srcip</P><P>2) we have the record of the IP in question in our DHCP index:</P><P>EXAMPLE:&nbsp;&nbsp;index="dhcp" host="XXXXXXXX" | stats count by ip, hostname</P><P>&nbsp;What is the most elegant approach to searching so that values from our firewall report are returned using the hostname information that was listed in DHCP?&nbsp; &nbsp;</P><P>I assume I would need to use the rename command to ensure srcip and ip match up, and see a lot of different ways to potentially achieve this and could use some direction on which is the simplest path to take (ie: subsearch?)</P><P>Desired End Result:</P><P>A report that lists firewall data that includes both IP and Hostname at the time of the log, vs what a DNS lookup would provide, preserving and confirming what IP was assigned to what hostname at the time of the firewall log.</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 23 Mar 2021 18:41:08 GMT https://community.splunk.com/t5/Splunk-Search/Creating-a-correlation-search-between-two-different-indexes-DHCP/m-p/544982#M154329 daryllj 2021-03-23T18:41:08Z https://community.splunk.com/t5/Splunk-Search/Creating-a-correlation-search-between-two-different-indexes-DHCP/m-p/544991#M154331 <P>Look into the join option here. Append and transaction would work, but I think Join would be the best bet. Example below:<BR /><BR />-&nbsp;<A href="https://docs.splunk.com/Documentation/Splunk/8.1.3/SearchReference/Join" target="_blank">https://docs.splunk.com/Documentation/Splunk/8.1.3/SearchReference/Join</A><BR /><BR /></P><LI-CODE lang="markup">| makeresults | eval ip = "10.0.0.0" | rename ip as src_ip | stats count by src_ip | eval event="list" | join src_ip [| makeresults | eval src_ip = "10.0.0.0", hostname = "desktop", event = "append"]</LI-CODE> Tue, 23 Mar 2021 19:31:10 GMT https://community.splunk.com/t5/Splunk-Search/Creating-a-correlation-search-between-two-different-indexes-DHCP/m-p/544991#M154331 hoaxm3 2021-03-23T19:31:10Z https://community.splunk.com/t5/Splunk-Search/Creating-a-correlation-search-between-two-different-indexes-DHCP/m-p/545010#M154335 <P>Thanks for the guidelines here- I played around with a very basic join command and this resulted in the following:</P><P>(index=fortfw) level=warning host="XXXXXXXX" category="Malicious Websites" | rename src as ip | join ip [search index="dhcp"] | stats count by hostname, ip</P><P>This seemed to do the trick and I now get my stats that include the hostname.....</P> Tue, 23 Mar 2021 21:36:51 GMT https://community.splunk.com/t5/Splunk-Search/Creating-a-correlation-search-between-two-different-indexes-DHCP/m-p/545010#M154335 daryllj 2021-03-23T21:36:51Z