Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to combine two searches

alexspunkshell
Contributor
‎06-15-2021 10:46 AM

Hi All,

I want to combine "LogonIP" in two different searches and get 1 result.

 

Query 1 

index=testindex | table LogonIP Event_Date Event_Title Event_Severity UPN  MFAStatus

 

Query 2

index=o365 ClientIPAddress=* |stats count by ClientIPAddress |dedup ClientIPAddress |rename ClientIPAddress as "LogonIP"

 

If the Query 2 "LogonIP" count is greater than 20 (LogonIP>20) then, I want to join the result with Query 1 and ignore the result.

But if the search Query 2 LogonIP<20 then, I want to join the result with Query 1 and get the result.

@ITWhisperer @scelikok @soutamo @saravanan90 @thambisetty @gcusello @bowesmana   @to4kawa @woodcock  Please help here.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎06-16-2021 03:07 AM

Hi @alexspunkshell,

in addition to the previous answer, you have to add the distinct count of users (UPN) so you can filter results on this value, please, try something like this:

index=testindex OR (index=o365 ClientIPAddress=*)
| eval LogonIP=coalesce(LogonIP,ClientIPAddress)
| stats values(Event_Date) AS Event_Date values(Event_Title) AS Event_Title values(Event_Severity) AS Event_Severity dc(UPN) AS dc_UPN values(UPN) AS UPN values(MFAStatus) AS MFAStatus count(eval(index=o365)) AS Count by LogonIP
| where dc_UPN>0

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎06-15-2021 11:37 PM

Hi @alexspunkshell,

you have to correlate events using the common fields, something like this:

index=testindex OR (index=o365 ClientIPAddress=*)
| eval LogonIP=coalesce(LogonIP,ClientIPAddress)
| stats values(Event_Date) AS Event_Date values(Event_Title) AS Event_Title values(Event_Severity) AS Event_Severity values(UPN) AS UPN values(MFAStatus) AS MFAStatus count(eval(index=o365)) AS Count by LogonIP

Ciao.

Giuseppe

Reply
Solved! Jump to solution

alexspunkshell
Contributor
‎06-16-2021 02:54 AM

@gcusello Thanks for your reply.

I am getting results like the below screenshot.

Now I want the Query-1 "LogonIP" results (index=testindex ), need to check with Query2 (index=o365) "LogonIP".

And if the LogonIP are already used by 20+ users means, I want to filter in the results.

alexspunkshell_0-1623836857781.png

 

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎06-16-2021 03:07 AM

Hi @alexspunkshell,

in addition to the previous answer, you have to add the distinct count of users (UPN) so you can filter results on this value, please, try something like this:

index=testindex OR (index=o365 ClientIPAddress=*)
| eval LogonIP=coalesce(LogonIP,ClientIPAddress)
| stats values(Event_Date) AS Event_Date values(Event_Title) AS Event_Title values(Event_Severity) AS Event_Severity dc(UPN) AS dc_UPN values(UPN) AS UPN values(MFAStatus) AS MFAStatus count(eval(index=o365)) AS Count by LogonIP
| where dc_UPN>0

Ciao.

Giuseppe

Reply
Solved! Jump to solution

venkatasri
SplunkTrust
SplunkTrust
‎06-15-2021 05:41 PM

Hi @alexspunkshell 

Can you try if this works for you,

 

index=testindex 
    [ search index=o365 ClientIPAddress=* 
    | stats count by ClientIPAddress 
    | dedup ClientIPAddress 
    | rename ClientIPAddress as "LogonIP" 
    | where count < 20 
    | return 1000 LogonIP] 
| table LogonIP Event_Date Event_Title Event_Severity UPN MFAStatus

 

----

An upvote would be appreciated if it helps!

Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...