Hello, team!
I need your help with my search.
I have a search which collects the list of ip-addresses, and next I need to check if there is event in other index with this ip-address. if there is a corresponding event, it's okay, if not - alert. How to implement it better?
Something like below should work -
index=secondsearchindex sourcetype=sourcetype
[ search index=firstsearchquery_withIPaddresses
| stats c by ipaddress
| table ipaddress]
You can schedule an alert if you get 0 results from the above.
For reference - https://docs.splunk.com/Documentation/Splunk/9.0.0/Search/Aboutsubsearches
Better than what? What implementation do you have now?