Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Correlation to search multiple ST for matching rex...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Correlation to search multiple ST for matching rexed values
Looking to build 1 correlation search to do the following:
Bring an extracted field name from 1 ST and search that field name across another ST.
If hits in both ST, do not alert. If only hits in the first ST, do alert.
Ideally, this would function similar to how $host$ can be used in a drill down to pull the host name, though I'm not sure this is possible for a correlation search. Is there a command to do a comparison like this?
So far I have the following returning results:
sourcetype=A | rex field=_raw "John\s+(?<endpoint>\w+)"
| append [| search sourcetype=B "Live" | rex field=_raw "Mike\s+(?<endpoint>\w+)"]
This does give me results from both indexes, but this is not correlating results from A to B (obviously). I have tried several commands (join, transaction, coalesce etc) and removed these failed attempts from the above for simplicity. I may have been using these commands incorrectly as well.
TYIA
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
After speaking to our local Splunk admin, what I am trying to do is not possible. So decided to break it into the 2 searches; 1 correlation search and then a drill down. Then we're building a playbook to auto-close the alert if the drill down finds hits.
I was trying to build this alert to not hit SOAR and thus reduce resources on our Splunk instance, but this was not possible in this manner.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the quick response.
So endpoint would be a rex'd field, but I want to search on the specific endpoint name from the first rex command. Also looking to correlate that specific endpoint name is present in both sourcetypes. End point is not an extracted field in either ST so needs to be rex'd out of both. The above may work if I was able to run it as "| stats count by $endpoint$".
For an example: I could build the alert as
Correlation search:
sourcetype=A | rex field=_raw "John\s+(?<endpoint>\w+)"
| stats count by endpoint
Drill Down:
sourcetype=B "Live" | search $endpoint$
(In this case, the drill down would become a keyword search on the endpoint name rather than a rex'd field)
This would work and create an alert that would just need to be manually closed if validated by proving the same endpoint is present in both ST's. Would like to reduce this noise if possible.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It's not entirely clear what the expected output should be, but perhaps this helps. It counts the number of sourcetypes for each endpoint and filters out events where endpoint is in both sourcetypes.
sourcetype=A
| rex field=_raw "John\s+(?<endpoint>\w+)"
| append [| search sourcetype=B "Live"
| rex field=_raw "Mike\s+(?<endpoint>\w+)"]
| stats count by endpoint
| where count = 1If this reply helps you, Karma would be appreciated.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
May 2026 Splunk Expert Sessions: Security & Observability
Network to App: Observability Unlocked [May & June Series]
SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...
