Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to combine two searches

alexspunkshell
Contributor
‎06-15-2021 10:46 AM

Hi All,

I want to combine "LogonIP" in two different searches and get 1 result.

 

Query 1 

index=testindex | table LogonIP Event_Date Event_Title Event_Severity UPN  MFAStatus

 

Query 2

index=o365 ClientIPAddress=* |stats count by ClientIPAddress |dedup ClientIPAddress |rename ClientIPAddress as "LogonIP"

 

If the Query 2 "LogonIP" count is greater than 20 (LogonIP>20) then, I want to join the result with Query 1 and ignore the result.

But if the search Query 2 LogonIP<20 then, I want to join the result with Query 1 and get the result.

@ITWhisperer @scelikok @soutamo @saravanan90 @thambisetty @gcusello @bowesmana   @to4kawa @woodcock  Please help here.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎06-16-2021 03:07 AM

Hi @alexspunkshell,

in addition to the previous answer, you have to add the distinct count of users (UPN) so you can filter results on this value, please, try something like this:

index=testindex OR (index=o365 ClientIPAddress=*)
| eval LogonIP=coalesce(LogonIP,ClientIPAddress)
| stats values(Event_Date) AS Event_Date values(Event_Title) AS Event_Title values(Event_Severity) AS Event_Severity dc(UPN) AS dc_UPN values(UPN) AS UPN values(MFAStatus) AS MFAStatus count(eval(index=o365)) AS Count by LogonIP
| where dc_UPN>0

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎06-15-2021 11:37 PM

Hi @alexspunkshell,

you have to correlate events using the common fields, something like this:

index=testindex OR (index=o365 ClientIPAddress=*)
| eval LogonIP=coalesce(LogonIP,ClientIPAddress)
| stats values(Event_Date) AS Event_Date values(Event_Title) AS Event_Title values(Event_Severity) AS Event_Severity values(UPN) AS UPN values(MFAStatus) AS MFAStatus count(eval(index=o365)) AS Count by LogonIP

Ciao.

Giuseppe

Reply
Solved! Jump to solution

alexspunkshell
Contributor
‎06-16-2021 02:54 AM

@gcusello Thanks for your reply.

I am getting results like the below screenshot.

Now I want the Query-1 "LogonIP" results (index=testindex ), need to check with Query2 (index=o365) "LogonIP".

And if the LogonIP are already used by 20+ users means, I want to filter in the results.

alexspunkshell_0-1623836857781.png

 

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎06-16-2021 03:07 AM

Hi @alexspunkshell,

in addition to the previous answer, you have to add the distinct count of users (UPN) so you can filter results on this value, please, try something like this:

index=testindex OR (index=o365 ClientIPAddress=*)
| eval LogonIP=coalesce(LogonIP,ClientIPAddress)
| stats values(Event_Date) AS Event_Date values(Event_Title) AS Event_Title values(Event_Severity) AS Event_Severity dc(UPN) AS dc_UPN values(UPN) AS UPN values(MFAStatus) AS MFAStatus count(eval(index=o365)) AS Count by LogonIP
| where dc_UPN>0

Ciao.

Giuseppe

Reply
Solved! Jump to solution

venkatasri
SplunkTrust
SplunkTrust
‎06-15-2021 05:41 PM

Hi @alexspunkshell 

Can you try if this works for you,

 

index=testindex 
    [ search index=o365 ClientIPAddress=* 
    | stats count by ClientIPAddress 
    | dedup ClientIPAddress 
    | rename ClientIPAddress as "LogonIP" 
    | where count < 20 
    | return 1000 LogonIP] 
| table LogonIP Event_Date Event_Title Event_Severity UPN MFAStatus

 

----

An upvote would be appreciated if it helps!

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...