Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Highlighting data in one table that is contained in a separate table?

mjande5
Observer
‎05-30-2022 05:20 PM

Hi, rather new to this community, but trying to figure this out.  I have table 1 with two fields, (src_ip and dest_ip) and another table 2 with (IP) field.  I would like to highlight any IPs in table 2 that are a match to any in table 1 in either field.  Is there an easy way to accomplish this?  Thanks in advance.

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎05-31-2022 12:14 AM

Since you're asking in the "Dashboards & Visualizations" section - do you mean that you have two separate table widgets on the same  dashboard? Or do you simply want to do a "match" for two given searches.

0 Karma
Reply

mjande5
Observer
‎05-31-2022 03:39 AM

@PickleRick 

Sorry, I should have been more clear.  I have two separate dashboards that query differing information.  One has src_ip and dest_ip columns and the other dashboard has an IP column.  I would like to have any IPs in either the src_ip or dest_ip columns to highlight or some way stand out if they match the IPs in the other dashboard with the IP column.  I hope this helps clear up what I am trying to do.

-Mike

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎05-30-2022 11:54 PM

Hi @mjande5,

if the results in the second table are less than 50,000, you can use a search like this:

index=index1 ([ search index=index2 | rename IP AS src_ip | fields src_ip ] OR [ search index=index2 | rename IP AS dest_ip | fields dest_ip ])
| table _time src_ip dest_ip

If they are more than 50,000 you need a different solution.

Let me know.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...