Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to search on another index based on the first search condition?

TrAnS
Loves-to-Learn
‎09-29-2020 02:34 PM

Hi, i am trying to do a search which can shows which internal client accessed the web but i have a proxy to access the web on behalf.

So i have a internal client X.X.X.X 

my proxy internal IP is IP.IP.IP.IP

my proxy external IP is EP.EP.EP.EP

 

so i have a search 

index=* 8.8.8.8

 

The above search will show that my proxy(EP.EP.EP.EP) access this IP. So from here i would like to based on this result i need to search index=proxy where my IP is IP.IP.IP.IP to see which internal client access this 8.8.8.8

 

Can anyone guide me on how should i write my splunk search?

0 Karma
Reply

DavidHourani
Super Champion
‎09-29-2020 11:35 PM

Hi @TrAnS ,

There are multiple ways to do so, the first one would be using a subsearch

index=proxy [search index=other dest_ip=8.8.8.8 | table dest_ip]


This is not very efficient though, so it's best to run a combined search on both indices : 

(index=proxy OR index=other) dest_ip=8.8.8.8| stats values(index) dc(index) as indexCount by dest_ip | where indexCount>2


Let me know if the above helps.

Cheers,

David

Reply
Get Updates on the Splunk Community!

Index This | Why did the turkey cross the road?

November 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...