Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Can you help me create a search that would match fields for two different indexes and stats?

christianubeda
Path Finder
‎09-10-2018 08:13 AM

Hi team!

I need help with a search.

I have 2 indexes and I want to match both for an IP field. If they match, I want stats for the first one.

This is my search right now.

(index=AAA Ip=*) OR (index=BBB src_ip=* (threat_name="SCAN: Host Sweep(8002)" OR threat_name="SCAN: TCP Port Scan(8001)" OR threat_name="TCP Flood(8501)" OR threat_name="UDP Flood(8502)" OR threat_name="TCP SYN with data(8723)") (src_zone!="Inet-WAN1" AND src_zone!="Inet-WAN2") (dest_zone!="Inet-WAN1" AND dest_zone!="Inet-WAN2") src_ip != 191.100.200.27 AND src_ip != 191.100.200.71 AND src_ip != 191.100.200.56) | eval match_ip=coalesce(Ip,src_ip) | stats values(*) AS * by match_ip | search src_ip=* Ip=* | stats count, values(src_zone) as Source_zone,values(dest_zone) as Destination_zone, values(threat_name) as "Threat name", values(vendor_action) as Action, values(severity) as Severity by user,src_ip, generated_time, dest_ip |table generated_time,"Threat name", Action,Severity src_ip, dest_ip,user, Source_zone, Destination_zone | rename src_ip as Source_IP, dest_ip as Destination_IP, user as User, generated_time as Date

Right now it finds the match IP. But the problem is it didn't show the fields well. I should have 55 events and I have 2000. Every IP has multiple times, dest zones etc. Obviously, this is not true.

Thank you!

0 Karma
Reply

osakachan
Communicator
‎09-13-2018 06:08 AM

Maybe using a subsearch? It has limits but for small amounts of data or time ranges it is fine.

index=AAA 
    [search index=BBB ... 
    | stats count by src_ip
    | table src_ip
    | format]
| ...etc

https://docs.splunk.com/Documentation/Splunk/7.1.2/Search/Aboutsubsearches

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...