I'm new to Splunk And I'm trying to build summary index
i have KVStore and index
A: inputlookup spam_ip (which is Indicator of compromise)
B: index=main (which is event log)
Both indexes have a field that has the same data:
eg: A has a field (spam_ip), B has a field (source_ip)
And populate all record in set A that the record have data field contain in set B into summary index
i got it with this
| inputlookup spam_ip | join srcip [ search index=main | rename ip as srcip | fields srcip ]
thank you for your time
it would help to know what you've tried so far and what the results were, but perhaps this will help:
index=main [ | inputlookup spam_ip | rename spam_ip as source_ip | fields source_ip | format ]
it works but when i tried this
| inputlookup ts_lookup_destip (index=main | rename ip as srcip | fields srcip | format)
i get an error
The result i want is which indicator of compromise (include all fields) is used to detect
What error do you get? It must be syntax related since that query is not valid SPL. Replacing the square brackets with parentheses completely changes the query. Did you try the same query with square brackets?
i got it with this
| inputlookup spam_ip | join srcip [ search index=main | rename ip as srcip | fields srcip ]
thank you for your time
If your problem is resolved, then please click the "Accept as Solution" button to help future readers.
when i tried this
| inputlookup ts_lookup_destip [index=main | rename ip as srcip | fields srcip | format]
i get Unknown search command 'index'.
it works, thank you !!