My Query is little different,
I need to find the access status of web links on firewall/proxy logs of the access status
I got all the malicious URL in Mimecast logs, need to compare the url's with the proxy logs.
not sure how to proceed, do I need to create a lookup, or It can be done via a search itself
Can you provide some sample events from both log sources? There are multiple ways to do it.
Suppose if you have the common field in both the log sources then you can do it by stats OR join command.
Using stats :
(sourcetype=mimecast_for_splunk URL=*) OR sourcetype="pan:threat" | stats values(your_fields) ...by common_field
Give me more details of what do you want exactly?
Are you just looking for raw logs or you are looking for specific key-value?
If URL exists in both sources then make sure that URL field is extracted in both the sources.
Actually the scenario is, whenever anyone gets any weblink in email, I want to check that that link is tried access or not.
I am getting the web link from teh first search mimecastforsplunk URL=*
the result for this search could be anything, whatever we get from outside.
but want to compare this result with my web logs i.e. sourcetype="pan:threat" URL=*
now I need the URL that are matching in both the log sources.