Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Can you help me make a search that returns stats from two indexes when they match?

christianubeda
Path Finder
‎09-11-2018 02:19 AM

Hi team!

I'm new here, very first time with Splunk.

I need stats from two different indexes but only if they match.

If IP from indexA = src_ip from IndexB then i want stats from IndexB. Again, but only if they match.

I have this but it's not working. I need it to find the match but not to show me the correct stats.

Generated_time and dest_zone is crazy. It's supposed to show me 55 events and it shows me 2000, because 1 real event produces 50 fake event, and I don't know why that is.

This is my search right now.

(index=csvindex Ip=*) OR (index=cesa_paloalto src_ip=*) | eval match_ip=coalesce(Ip,src_ip) | stats values(*) AS * by match_ip | search src_ip=* Ip=* | stats count, values(src_zone) as Source_zone,values(dest_zone) as Destination_zone, values(threat_name) as "Threat name", values(vendor_action) as Action, values(severity) as Severity by user,src_ip, generated_time, dest_ip |table generated_time,"Threat name", Action,Severity src_ip, dest_ip,user, Source_zone, Destination_zone | rename src_ip as Source_IP, dest_ip as Destination_IP, user as User, generated_time as Date

Please help!

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎09-11-2018 09:10 AM

@christianubeda

Can you please try below search?

index=cesa_paloalto 
    [ index=csvindex Ip=*  | dedup Ip | rename Ip as src_ip | table src_ip] 
| dedup src_ip 
| stats count, values(src_zone) as Source_zone,values(dest_zone) as Destination_zone, values(threat_name) as "Threat name", values(vendor_action) as Action, values(severity) as Severity by user,src_ip, generated_time, dest_ip 
| table generated_time,"Threat name", Action,Severity src_ip, dest_ip,user, Source_zone, Destination_zone 
| rename src_ip as Source_IP, dest_ip as Destination_IP, user as User, generated_time as Date
0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...