Reporting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Web link accessed on Firewall

deepak007
Explorer
‎02-20-2018 08:01 PM

My Query is little different,
I need to find the access status of web links on firewall/proxy logs of the access status
I got all the malicious URL in Mimecast logs, need to compare the url's with the proxy logs.
not sure how to proceed, do I need to create a lookup, or It can be done via a search itself

sourcetype=mimecast_for_splunk URL=*
sourcetype="pan:threat"

Tags (2)
0 Karma
Reply

mayurr98
Super Champion
‎02-21-2018 02:38 AM

Can you provide some sample events from both log sources? There are multiple ways to do it.
Suppose if you have the common field in both the log sources then you can do it by stats OR join command.

Using stats :

(sourcetype=mimecast_for_splunk URL=*) OR sourcetype="pan:threat" | stats values(your_fields) ...by common_field

Give me more details of what do you want exactly?
Are you just looking for raw logs or you are looking for specific key-value?
If URL exists in both sources then make sure that URL field is extracted in both the sources.

let me know if this helps!

0 Karma
Reply

deepak007
Explorer
‎02-22-2018 12:04 AM

Actually the scenario is, whenever anyone gets any weblink in email, I want to check that that link is tried access or not.

I am getting the web link from teh first search mimecast_for_splunk URL=*
the result for this search could be anything, whatever we get from outside.
but want to compare this result with my web logs i.e. sourcetype="pan:threat" URL=*

now I need the URL that are matching in both the log sources.

hope this explains

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...