Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I compare results from 2 indexes on a common field?

mwdbhyat
Builder
‎10-08-2018 02:29 AM

Hi guys,

Has anyone ever written a search that can compare events(in this case "indicator" across 2 indexes and show them in separate tables side by side? EG search(that doesn't work):

index=ironport
| rename url AS indicator
| join indicator [search index=crowdstrike* type=url earliest=0 | spath output=myfield path=relations.indicator{}.type{} | table indicator, type, ip_address_types, labels_name,malware_families]
| table indicator

I'm basically looking for common "indicator" fields between two indexes, which would then be presented in a table.
Any thoughts on this?

Thanks!

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎10-08-2018 03:18 PM

Stop using join; try this:

index=ironport OR (index=crowdstrike* type=url earliest=0)
| spath output=myfield path=relations.indicator{}.type{}
| table indicator, type, ip_address_types, labels_name,malware_families)
| eval indicator = coalesce(indicator, url)
| stats dc(index) AS indexCount BY indicator
| search indexCount>1

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎10-08-2018 03:18 PM

Stop using join; try this:

index=ironport OR (index=crowdstrike* type=url earliest=0)
| spath output=myfield path=relations.indicator{}.type{}
| table indicator, type, ip_address_types, labels_name,malware_families)
| eval indicator = coalesce(indicator, url)
| stats dc(index) AS indexCount BY indicator
| search indexCount>1
0 Karma
Reply
Solved! Jump to solution

mwdbhyat
Builder
‎10-08-2018 11:00 PM

Thanks that did what I wanted

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎10-09-2018 08:01 AM

It will probably be more efficient if you drop the | table line or switch to | fields. Try that and compare.

0 Karma
Reply
Solved! Jump to solution

ssadanala1
Contributor
‎10-08-2018 06:45 AM

You can try some this like this

index=ironport
| rename url AS indicator |appendcols [search index=crowdstrike* type=url earliest=0 | spath output=myfield path=relations.indicator{}.type{} | table indicator, type, ip_address_types, labels_name,malware_families]| stats values(*) as * by indicator

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...