I am very new to Splunk.
Can someone help me with this use case please:
I have to create a search which should take an IP coming from a data source A and take that IP go to a file grab some info against that IP (like host name/location) sitting in index B. So being newbie I think I can do a search for IP
what should be the second part of the search?
Any help is appreciated!
This is maybe difficult to understand at first, but take a look at this answer http://answers.splunk.com/answers/129424/how-to-compare-fields-over-multiple-sourcetypes-without-joi... to get an idea hoe this can be done.
Happy splunking ...
Alternatively to @MuS's approach of joining data, for using info from one search to find things in another search you can use this pattern:
index=B [search index=A identifying things in index A | dedup IP | fields IP] | ...
That'll search index A for events containing your
IP value and then use the values returned to search index B.
index =A OR index= B |transaction ip | table ip, myfield, name
220.127.116.11, x, Adrian
18.104.22.168, y, Alanis
But how do we do if the field names are different in both indexes?
If Index A lists ip address as IP and Index B lists it as IPaddr
hmm, exactly as already posted and described below ....
... | eval correlation_field=case(isnotnull(IP), IP, isnotnull(IPaddr), IPaddr, 1=1, "unknown") | stats values(*) AS * by correlation_field