Splunk Search
Highlighted

How to write a search to correlate data from multiple indexes?

New Member

Hello All,
I am very new to Splunk.
Can someone help me with this use case please:

I have to create a search which should take an IP coming from a data source A and take that IP go to a file grab some info against that IP (like host name/location) sitting in index B. So being newbie I think I can do a search for IP
index=A IP=xxx.xxx.xx.xxx
what should be the second part of the search?
Any help is appreciated!

Tags (2)
0 Karma
Highlighted

Re: How to write a search to correlate data from multiple indexes?

SplunkTrust
SplunkTrust

Hi sunitachan,

This is maybe difficult to understand at first, but take a look at this answer http://answers.splunk.com/answers/129424/how-to-compare-fields-over-multiple-sourcetypes-without-joi... to get an idea hoe this can be done.

Happy splunking ...

cheers, MuS

View solution in original post

0 Karma
Highlighted

Re: How to write a search to correlate data from multiple indexes?

New Member

Thank you MuS, I will read thru this and let you know if it works.

0 Karma
Highlighted

Re: How to write a search to correlate data from multiple indexes?

SplunkTrust
SplunkTrust

Alternatively to @MuS's approach of joining data, for using info from one search to find things in another search you can use this pattern:

index=B [search index=A identifying things in index A | dedup IP | fields IP] | ...

That'll search index A for events containing your IP value and then use the values returned to search index B.

0 Karma
Highlighted

Re: How to write a search to correlate data from multiple indexes?

New Member

Thanks a lot!!

0 Karma
Highlighted

Re: How to write a search to correlate data from multiple indexes?

Path Finder

index A
ip=1.1.1.1 myfield=x
ip=1.1.1.2 myfield=y

index B
ip=1.1.1.1 name=Adrian
ip=1.1.1.2 name=Alanis

index =A OR index= B |transaction ip | table ip, myfield, name
1.1.1.1, x, Adrian
1.1.1.2, y, Alanis

0 Karma
Highlighted

Re: How to write a search to correlate data from multiple indexes?

New Member

Thanks for the note!!

0 Karma
Highlighted

Re: How to write a search to correlate data from multiple indexes?

Explorer

But how do we do if the field names are different in both indexes?

Example:
If Index A lists ip address as IP and Index B lists it as IPaddr

0 Karma
Highlighted

Re: How to write a search to correlate data from multiple indexes?

SplunkTrust
SplunkTrust

hmm, exactly as already posted and described below ....

 ... | eval correlation_field=case(isnotnull(IP), IP, isnotnull(IPaddr), IPaddr, 1=1, "unknown")
 | stats values(*) AS * by correlation_field

cheers, MuS

Highlighted

Re: How to write a search to correlate data from multiple indexes?

SplunkTrust
SplunkTrust

... coalesce() ... 😛

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.