Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Can you help me create a search that would match fields for two different indexes and stats?

christianubeda
Path Finder
‎09-10-2018 08:13 AM

Hi team!

I need help with a search.

I have 2 indexes and I want to match both for an IP field. If they match, I want stats for the first one.

This is my search right now.

(index=AAA Ip=*) OR (index=BBB src_ip=* (threat_name="SCAN: Host Sweep(8002)" OR threat_name="SCAN: TCP Port Scan(8001)" OR threat_name="TCP Flood(8501)" OR threat_name="UDP Flood(8502)" OR threat_name="TCP SYN with data(8723)") (src_zone!="Inet-WAN1" AND src_zone!="Inet-WAN2") (dest_zone!="Inet-WAN1" AND dest_zone!="Inet-WAN2") src_ip != 191.100.200.27 AND src_ip != 191.100.200.71 AND src_ip != 191.100.200.56) | eval match_ip=coalesce(Ip,src_ip) | stats values(*) AS * by match_ip | search src_ip=* Ip=* | stats count, values(src_zone) as Source_zone,values(dest_zone) as Destination_zone, values(threat_name) as "Threat name", values(vendor_action) as Action, values(severity) as Severity by user,src_ip, generated_time, dest_ip |table generated_time,"Threat name", Action,Severity src_ip, dest_ip,user, Source_zone, Destination_zone | rename src_ip as Source_IP, dest_ip as Destination_IP, user as User, generated_time as Date

Right now it finds the match IP. But the problem is it didn't show the fields well. I should have 55 events and I have 2000. Every IP has multiple times, dest zones etc. Obviously, this is not true.

Thank you!

0 Karma
Reply

osakachan
Communicator
‎09-13-2018 06:08 AM

Maybe using a subsearch? It has limits but for small amounts of data or time ranges it is fine.

index=AAA 
    [search index=BBB ... 
    | stats count by src_ip
    | table src_ip
    | format]
| ...etc

https://docs.splunk.com/Documentation/Splunk/7.1.2/Search/Aboutsubsearches

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Brute Force Account Takeover Fraud with Splunk

This article is the second in a three-part series exploring advanced fraud detection techniques using Splunk. ...

Buttercup Games: Further Dashboarding Techniques (Part 9)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Buttercup Games: Further Dashboarding Techniques (Part 8)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Top