Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What is the best way display events from 2 indexes in chronological order, filtering by IP?

jbrenner
Path Finder
‎10-21-2016 12:09 PM

I have two indexes and I want to display events from both indexes in chronological order, filtering by a specific IP. What is the simplest way to accomplish this?

Thanks,
Jonathan

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sdaniels
Splunk Employee
Splunk Employee
‎10-21-2016 01:42 PM

Are you just looking to see all of the raw events for those 2 indexes for a specific IP?

If so then something simple like this should give you what you need:

index=index1 OR index=index2 IP="10.10.210.1"

View solution in original post

Reply
Solved! Jump to solution
Solution

sdaniels
Splunk Employee
Splunk Employee
‎10-21-2016 01:42 PM

Are you just looking to see all of the raw events for those 2 indexes for a specific IP?

If so then something simple like this should give you what you need:

index=index1 OR index=index2 IP="10.10.210.1"

Reply
Solved! Jump to solution

jbrenner
Path Finder
‎10-21-2016 01:45 PM

That's exactly what I was looking for. I didn't realize it was that simple. Thanks!

0 Karma
Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎10-21-2016 12:51 PM

You can do a sub-search across both indexes

index=index1 IP="123.34..56.192" Field="*" [search index=index2 IP="123.34..56.192" Field="*"] | stats count by IP

0 Karma
Reply
Solved! Jump to solution

jbrenner
Path Finder
‎10-21-2016 01:12 PM

Thanks for the response. I tried your query, but I got no events back even though both of the following queries returns events:

index=index1 IP="XXX"
index=index2 IP="XXX"

Any ideas on why this might not be working?

Thanks,
Jonathan

0 Karma
Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎10-21-2016 01:14 PM

index1, index2,Field, IP are just place holder names I put in there. You should use your index names and fields. Give me a sample of your data and I'll help build the query. You will need both index names and a common IP field which is present in both indexes

0 Karma
Reply
Solved! Jump to solution

jbrenner
Path Finder
‎10-21-2016 01:30 PM

I understand. I just didn't want to reveal proprietary information, like our customers' IP addresses. 🙂
When I use the actual IP address, and the real index names, I get no records returned.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...