How to combine the data of two indexes base on tw...

kz21 · ‎12-22-2020

i am trying to get the common data result from the two indexes base on two common fields.

ids logs
*******
src target cve service
10.0.0.1 20.2.2.2 CVE-2020-0123 80

VA logs
******
dst cve service
20.2.2.2 CVE-2020-0123 http

search
index=fw sourcetype="ids" cve="*" [search index=va sourcetype="vascanner" | rename dst as target | fields cve target]
| table src cve target service

gcusello · ‎12-22-2020

Hi @kz21,

using a subsearch to filter a main search you have to use the same fieldnames:

index=fw sourcetype="ids" cve="*" [search index=va sourcetype="vascanner" | rename dst as target | fields cve target ]
| table src cve target service

but remember that there's the limit of 50,000 results for subsearches.

So if you can have more than 50,000 results in the subsearch you have to use a different approach:

(index=fw sourcetype="ids" cve="*") OR (index=va sourcetype="vascanner")
| rename dst as target 
| stats values(src) AS src values(service) AS service dc(index) AS dc_index BY  cve target
| where dc_index=2

Ciao.

Giuseppe

How to combine the data of two indexes base on two common fileds.

subsearch

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?