topic Re: How do I compare results from 2 indexes on a common field? in Splunk Search

How do I compare results from 2 indexes on a common field?

mwdbhyat — Mon, 08 Oct 2018 09:29:45 GMT

Hi guys,

Has anyone ever written a search that can compare events(in this case "indicator" across 2 indexes and show them in separate tables side by side? EG search(that doesn't work):

index=ironport
| rename url AS indicator
| join indicator [search index=crowdstrike* type=url earliest=0 | spath output=myfield path=relations.indicator{}.type{} | table indicator, type, ip_address_types, labels_name,malware_families]
| table indicator

I'm basically looking for common "indicator" fields between two indexes, which would then be presented in a table.
Any thoughts on this?

Thanks!

Re: How do I compare results from 2 indexes on a common field?

ssadanala1 — Tue, 29 Sep 2020 21:31:37 GMT

You can try some this like this

index=ironport
| rename url AS indicator |appendcols [search index=crowdstrike* type=url earliest=0 | spath output=myfield path=relations.indicator{}.type{} | table indicator, type, ip_address_types, labels_name,malware_families]| stats values(*) as * by indicator

Re: How do I compare results from 2 indexes on a common field?

woodcock — Mon, 08 Oct 2018 22:18:50 GMT

Stop using join; try this:

index=ironport OR (index=crowdstrike* type=url earliest=0)
| spath output=myfield path=relations.indicator{}.type{}
| table indicator, type, ip_address_types, labels_name,malware_families)
| eval indicator = coalesce(indicator, url)
| stats dc(index) AS indexCount BY indicator
| search indexCount>1

Re: How do I compare results from 2 indexes on a common field?

mwdbhyat — Tue, 09 Oct 2018 06:00:35 GMT

Thanks that did what I wanted

Re: How do I compare results from 2 indexes on a common field?

woodcock — Tue, 09 Oct 2018 15:01:52 GMT

It will probably be more efficient if you drop the | table line or switch to | fields. Try that and compare.