Splunk Search

How can I do a search to see if values of one index exists in other 2 indexes?

Woodpecker
Path Finder

Hi,

I have 3 indexes. I need to extract hash_values from index 3 and do a search to see if similar files exists in index 1 & 2 as well.

Index1 &2 has same field names, whereas index 3 has 3 different fields with the values. Now I need to have all these values in a single field and then do a search to compare if similar files exists in other indexes 

Details:
=====
Index=1, sourcetype=1, hash_file
Index=2, sourcetype=2, hash_file
Index=3, sourcetype=3, hash_md5, hash_sha1, hash_sha256

Could someone please help me with a SPL?

Tags (2)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Woodpecker,

please try this:

(index=1 sourcetype=1 hash=*) OR (index=2 sourcetype=2 hash=*) OR (index=3 sourcetype=3 (hash_md5=* OR hash_sha1=* OR hash_sha256=*))
| eval hash=coalesce(hash, hash_md5, hash_sha1, hash_sha256), type=if(index=1,"1","2")
| stats dc(type) AS dc_type values(type) AS type BY hash
| where dc_type=2
| table hash

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...