Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to table results only if field value within indexA is contained within field of indexB

epw0rrell
Path Finder
‎01-15-2021 12:15 PM

I have email logs within index=Email and suspicious domain connections within index=Security.

The field name within Security = domain (values look like "website.com")

The field of interest in Email = URL (values look like https://www.corp.website.com/page1/page2/etc:443)

I need to search index=Email and do a sub-search within index=Security and only return results if domain is contained within URL.

I tried things like:

 

index=Email [search index=Security | where like(URL, "%"."domain"."%")]

 

Anyone that can help me you will make my week!  Thanks for your time.

 

 

Labels (5)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎01-15-2021 12:33 PM 
index=Email [search index=Security |fields domain|rename domain as search]

View solution in original post

Reply
Solved! Jump to solution

epw0rrell
Path Finder
‎01-21-2021 12:35 PM

Thanks that worked great.  If I could ask a follow on to this, would there be a way to include the query string that hit on the sessions displayed?  I output the results to a lookup file thinking I could append the "query" column to the results (query shown below) but that just added all the domains used in the query to the lookup file.

| inputlookup emailHITS.csv | appendcols [search index=security | fields domain | rename domain as query] | table _time query subject url fromEmail fromIP fromMX

0 Karma
Reply
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎01-15-2021 12:33 PM 
index=Email [search index=Security |fields domain|rename domain as search]
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...