Getting Data In

Sub search works well in one case but yields no result when sourcetypes are interchanges using join command.


I am trying to join two different sourcetypes on IP address to detect traffic to malicious IP's .
The two sources are -Firewall Logs and Threat Intelligence logs (Malicious IP list).

The query runs fine when I make firewall logs as a sub search and the threat logs as the main search using join command.(i.e. Query A).Using this I am able to get the list for malicious IP's in firewall logs.

But vice versa does not gives any result (i.e. Query B)

(A)-Query Running successfully-
sourcetype="threat_logs" | fields ip_address country | join ip_address type=inner [ search sourcetype="firewalllogs"| fields ip_address Action] | table ip_address Action country | dedup ip_address

(B)Query with No results-
sourcetype="firewalllogs" | fields ip_address Action | join ip_address type=inner [ search sourcetype="threat_logs"| fields ip_address country ] | table ip_address Action country | dedup ip_address

0 Karma


I don't know if this is a typo in your actual search or only what you've written in your question but in query B you are missing an 'e' from 'firewalllogs'.

0 Karma


yes,it is a typo.
and those are not actual source types but just a means of representation for sourcetypes.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...