https://community.splunk.com/t5/Splunk-Search/Design-a-search-for-find-list-intersection-of-kvstore-and-inndex/m-p/553156#M157022 <P>when i tried this</P><LI-CODE lang="markup">| inputlookup ts_lookup_destip [index=main | rename ip as srcip | fields srcip | format]</LI-CODE><P>i get&nbsp;<STRONG>Unknown search command 'index'.</STRONG></P> Wed, 26 May 2021 14:16:57 GMT Daniel_Pham 2021-05-26T14:16:57Z https://community.splunk.com/t5/Splunk-Search/Design-a-search-for-find-list-intersection-of-kvstore-and-inndex/m-p/553117#M157010 <P class="lia-align-left"><SPAN>I'm new to Splunk And I'm trying to build summary index&nbsp;</SPAN></P><P class="lia-align-left"><SPAN>i have KVStore and index</SPAN></P><P class="lia-align-left"><STRONG>A: inputlookup spam_ip&nbsp;</STRONG>(which is Indicator of compromise)</P><P class="lia-align-left"><STRONG>B: index=main&nbsp;</STRONG>(which is event log)</P><P class="lia-align-left">Both indexes have a field that has the same data:</P><P class="lia-align-left">eg: <STRONG>A has a field (spam_ip), B has a field (source_ip)</STRONG></P><P class="lia-align-left">And populate all record in set <STRONG>A</STRONG>&nbsp;that the record have data field contain in set <STRONG>B</STRONG> into summary index</P><P class="lia-align-left">&nbsp;</P> Wed, 26 May 2021 10:48:46 GMT https://community.splunk.com/t5/Splunk-Search/Design-a-search-for-find-list-intersection-of-kvstore-and-inndex/m-p/553117#M157010 Daniel_Pham 2021-05-26T10:48:46Z https://community.splunk.com/t5/Splunk-Search/Design-a-search-for-find-list-intersection-of-kvstore-and-inndex/m-p/553133#M157014 <P>it would help to know what you've tried so far and what the results were, but perhaps this will help:</P><LI-CODE lang="markup">index=main [ | inputlookup spam_ip | rename spam_ip as source_ip | fields source_ip | format ]</LI-CODE> Wed, 26 May 2021 12:45:05 GMT https://community.splunk.com/t5/Splunk-Search/Design-a-search-for-find-list-intersection-of-kvstore-and-inndex/m-p/553133#M157014 richgalloway 2021-05-26T12:45:05Z https://community.splunk.com/t5/Splunk-Search/Design-a-search-for-find-list-intersection-of-kvstore-and-inndex/m-p/553147#M157017 <P>it works, thank you !!</P> Wed, 26 May 2021 13:39:17 GMT https://community.splunk.com/t5/Splunk-Search/Design-a-search-for-find-list-intersection-of-kvstore-and-inndex/m-p/553147#M157017 Daniel_Pham 2021-05-26T13:39:17Z https://community.splunk.com/t5/Splunk-Search/Design-a-search-for-find-list-intersection-of-kvstore-and-inndex/m-p/553152#M157019 <P>it works but when i tried this</P><LI-CODE lang="markup">| inputlookup ts_lookup_destip (index=main | rename ip as srcip | fields srcip | format)</LI-CODE><P>i get an error</P><P>The result i want is which indicator of compromise (include all fields) is used to detect&nbsp;</P><P>&nbsp;</P> Wed, 26 May 2021 14:04:57 GMT https://community.splunk.com/t5/Splunk-Search/Design-a-search-for-find-list-intersection-of-kvstore-and-inndex/m-p/553152#M157019 Daniel_Pham 2021-05-26T14:04:57Z https://community.splunk.com/t5/Splunk-Search/Design-a-search-for-find-list-intersection-of-kvstore-and-inndex/m-p/553154#M157020 <P>What error do you get?&nbsp; It must be syntax related since that query is not valid SPL.&nbsp; Replacing the square brackets with parentheses completely changes the query.&nbsp; Did you try the same query with square brackets?</P> Wed, 26 May 2021 14:13:07 GMT https://community.splunk.com/t5/Splunk-Search/Design-a-search-for-find-list-intersection-of-kvstore-and-inndex/m-p/553154#M157020 richgalloway 2021-05-26T14:13:07Z https://community.splunk.com/t5/Splunk-Search/Design-a-search-for-find-list-intersection-of-kvstore-and-inndex/m-p/553156#M157022 <P>when i tried this</P><LI-CODE lang="markup">| inputlookup ts_lookup_destip [index=main | rename ip as srcip | fields srcip | format]</LI-CODE><P>i get&nbsp;<STRONG>Unknown search command 'index'.</STRONG></P> Wed, 26 May 2021 14:16:57 GMT https://community.splunk.com/t5/Splunk-Search/Design-a-search-for-find-list-intersection-of-kvstore-and-inndex/m-p/553156#M157022 Daniel_Pham 2021-05-26T14:16:57Z https://community.splunk.com/t5/Splunk-Search/Design-a-search-for-find-list-intersection-of-kvstore-and-inndex/m-p/553174#M157031 <P class="lia-align-left">i got it with this&nbsp;</P><LI-CODE lang="markup">| inputlookup spam_ip | join srcip [ search index=main | rename ip as srcip | fields srcip ]</LI-CODE><P>thank you for your time</P> Wed, 26 May 2021 16:02:33 GMT https://community.splunk.com/t5/Splunk-Search/Design-a-search-for-find-list-intersection-of-kvstore-and-inndex/m-p/553174#M157031 Daniel_Pham 2021-05-26T16:02:33Z https://community.splunk.com/t5/Splunk-Search/Design-a-search-for-find-list-intersection-of-kvstore-and-inndex/m-p/553183#M157035 <P>If your problem is resolved, then please click the "Accept as Solution" button to help future readers.</P> Wed, 26 May 2021 17:27:32 GMT https://community.splunk.com/t5/Splunk-Search/Design-a-search-for-find-list-intersection-of-kvstore-and-inndex/m-p/553183#M157035 richgalloway 2021-05-26T17:27:32Z