Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Can you help me make a search that returns stats from two indexes when they match?

christianubeda
Path Finder
‎09-11-2018 02:19 AM

Hi team!

I'm new here, very first time with Splunk.

I need stats from two different indexes but only if they match.

If IP from indexA = src_ip from IndexB then i want stats from IndexB. Again, but only if they match.

I have this but it's not working. I need it to find the match but not to show me the correct stats.

Generated_time and dest_zone is crazy. It's supposed to show me 55 events and it shows me 2000, because 1 real event produces 50 fake event, and I don't know why that is.

This is my search right now.

(index=csvindex Ip=*) OR (index=cesa_paloalto src_ip=*) | eval match_ip=coalesce(Ip,src_ip) | stats values(*) AS * by match_ip | search src_ip=* Ip=* | stats count, values(src_zone) as Source_zone,values(dest_zone) as Destination_zone, values(threat_name) as "Threat name", values(vendor_action) as Action, values(severity) as Severity by user,src_ip, generated_time, dest_ip |table generated_time,"Threat name", Action,Severity src_ip, dest_ip,user, Source_zone, Destination_zone | rename src_ip as Source_IP, dest_ip as Destination_IP, user as User, generated_time as Date

Please help!

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎09-11-2018 09:10 AM

@christianubeda

Can you please try below search?

index=cesa_paloalto 
    [ index=csvindex Ip=*  | dedup Ip | rename Ip as src_ip | table src_ip] 
| dedup src_ip 
| stats count, values(src_zone) as Source_zone,values(dest_zone) as Destination_zone, values(threat_name) as "Threat name", values(vendor_action) as Action, values(severity) as Severity by user,src_ip, generated_time, dest_ip 
| table generated_time,"Threat name", Action,Severity src_ip, dest_ip,user, Source_zone, Destination_zone 
| rename src_ip as Source_IP, dest_ip as Destination_IP, user as User, generated_time as Date
0 Karma
Reply
Get Updates on the Splunk Community!

The All New Performance Insights for Splunk

Splunk gives you amazing tools to analyze system data and make business-critical decisions, react to issues, ...

Good Sourcetype Naming

When it comes to getting data in, one of the earliest decisions made is what to use as a sourcetype. Often, ...

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...