How to verify IP addresses from 1 index to IPs of ...

stefanstolk1987 · ‎12-10-2015

Hello

I was hoping to find some help regarding a 2 indexes we log in Splunk.
We use BlueCoat logs to log all the TCP actions (requests).
We recently had a large number of infections that may still wander around.
We also log all the AD IP addresses to hostname.

Now I want to check 2 outputs:

index="bcoat_logs" cs_host="123.bot.net" src_ip="?????" date="?????" | table, src_ip, date
index="windows" sourcetype="dhcpsrvlogs" src_ip="?????" date="?????" | table, sAMAccountName

Because the (index) Bcoat logs only output src_ip's to dates, I want to resolve to hostname from the (index) Windows.

I hope someone can help me get started with this.

sundareshr · ‎12-10-2015

Try something like this

index="bcoat_logs" cs_host="123.bot.net" src_ip="?????" date="?????" | join src_ip [search index="windows" sourcetype="dhcpsrvlogs" | table sAMAccountName] | table sAMAccountName src_ip, date

http://docs.splunk.com/Documentation/Splunk/6.3.1511/SearchReference/Join

How to verify IP addresses from 1 index to IPs of another index to resolve hostnames?

What the End of Support for Splunk Add-on Builder Means for You

Solve, Learn, Repeat: New Puzzle Channel Now Live

Building Reliable Asset and Identity Frameworks in Splunk ES

Are you a member of the Splunk Community?

How to verify IP addresses from 1 index to IPs of another index to resolve hostnames?

What the End of Support for Splunk Add-on Builder Means for You

Solve, Learn, Repeat: New Puzzle Channel Now Live

Building Reliable Asset and Identity Frameworks in Splunk ES