- Splunk Answers
- :
- Splunk Administration
- :
- Security
- :
- How to create search to combine multiple “sourcety...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to create search to combine multiple “sourcetypes”?
In my query. I am trying to combine the output from one index and sourcetype with the output of another index and sourcetype. I have looked at the documentation and came across subsearches and have attempted to use the search command but not getting any results. Leaving me to believe I definitely am doing it wrong. Please see my example below.
index=A sourcetype=cat ProjectOwner="person" dest_owner="person" [search sourcetype=FW destp=1111 action=denied | table host] | srcdns srcip
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @shrugshoulders1
To pull different source events is as simple as using an OR statement, like below
(index=A sourcetype=cat ProjectOwner="person" dest_owner="person")
OR
(index=B sourcetype=FW destp=1111 action=denied)
| table host srcdns srcip
| ...
The harder part can be combining the events together afterwards, as that would require a common key value, or correlation id, in each event to tie them together with. If they have this then something like the stats command is brilliant, e.g.
... your search ...
| stats values(*) AS * BY ...common key value to combine events...
| ...
Hope this helps
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I really appreciate your help.
I thought I would be able to accomplish this using a subsearch, where I search for denied traffic to port 22 as an example using the source ip address as an output commonality for the main search to match those src ip addresses to machines that are owned by one user. I may have misread the documentation.
Learning is occurring.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What do you mean by "combine"? What is the desired output to look like?
Use a subsearch when you want to incorporate the results of one search into the query of another search. In the example, index A will be searched for all hosts reporting sourcetype FW and destp 1111 with action=denied.
To simply include the events from two indexes and sourcetypes, just put OR between them.
(index=A sourcetype=cat ProjectOwner="person" dest_owner="person") OR (index=baz sourcetype=FW destp=1111 action=denied)This merely dumps the events found. It makes no relationship between them. If there is to be any then please elaborate.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for your help. I will elaborate. Owners of servers with host names that are assigned to various owners are in one index and sourcetype. FW traffic is in another. I want to create an inventory list of servers belonging to one specific user. This information would be in its own index and sourcetype and find all denied traffic to a specific port which would be in the FW index and source type.
I thought I would be able to accomplish this using a subsearch, where I search for denied traffic to port 22 as an example using the source ip address as an output commonality for the main search to match those src ip addresses to machines that are owned by one user. I may have misread the documentation.
I hope that I have helped you better help me with my reply.
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
