Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Design a search for find list intersection of kvstore and inndex and put them to summary index

Daniel_Pham
Explorer
‎05-26-2021 03:48 AM

I'm new to Splunk And I'm trying to build summary index 

i have KVStore and index

A: inputlookup spam_ip (which is Indicator of compromise)

B: index=main (which is event log)

Both indexes have a field that has the same data:

eg: A has a field (spam_ip), B has a field (source_ip)

And populate all record in set A that the record have data field contain in set B into summary index

 

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Daniel_Pham
Explorer
‎05-26-2021 09:02 AM

i got it with this 

| inputlookup spam_ip | join srcip [ search index=main | rename ip  as srcip | fields srcip ]

thank you for your time

View solution in original post

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎05-26-2021 05:45 AM

it would help to know what you've tried so far and what the results were, but perhaps this will help:

index=main [ | inputlookup spam_ip | rename spam_ip as source_ip | fields source_ip | format ]
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

Daniel_Pham
Explorer
‎05-26-2021 07:04 AM

it works but when i tried this

| inputlookup ts_lookup_destip (index=main | rename ip as srcip | fields srcip | format)

i get an error

The result i want is which indicator of compromise (include all fields) is used to detect 

 

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎05-26-2021 07:13 AM

What error do you get?  It must be syntax related since that query is not valid SPL.  Replacing the square brackets with parentheses completely changes the query.  Did you try the same query with square brackets?

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution
Solution

Daniel_Pham
Explorer
‎05-26-2021 09:02 AM

i got it with this 

| inputlookup spam_ip | join srcip [ search index=main | rename ip  as srcip | fields srcip ]

thank you for your time

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎05-26-2021 10:27 AM

If your problem is resolved, then please click the "Accept as Solution" button to help future readers.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

Daniel_Pham
Explorer
‎05-26-2021 07:16 AM

when i tried this

| inputlookup ts_lookup_destip [index=main | rename ip as srcip | fields srcip | format]

i get Unknown search command 'index'.

0 Karma
Reply
Solved! Jump to solution

Daniel_Pham
Explorer
‎05-26-2021 06:39 AM

it works, thank you !!

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...

Index This | How many sevens are there between 1 and 100?

August 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...