Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Join fields from two indexes using fields that match partially

DavidHourani
Super Champion
‎03-23-2015 05:34 AM

Hello,

I have two indexes one containing a list of webpages that has been accessed (Index A) and another containing a list of vulnerable sites/domains/files and their description(Index B).

I would like to join these two indexes in order to see the vulnerable websites that have been accessed. A normal join operation doesn't quite cut it because the "value" field from index B can be a word that can appear anywhere in the "webpage" field of index A.

Any idea how i can perform such a join ?

Regards,
David

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

masonmorales
Influencer
‎03-24-2015 06:54 AM

I'm not sure what end result you are trying to achieve, but you could probably use a calculated field...

eval match=if(like(URL, %vulnerabledomain%), 1, 0)

Then, filter to match=1 and do your join on match. Or, you may not even need to perform a join, and can run stats, etc. off the calculated field.

View solution in original post

Reply
Solved! Jump to solution
Solution

masonmorales
Influencer
‎03-24-2015 06:54 AM

I'm not sure what end result you are trying to achieve, but you could probably use a calculated field...

eval match=if(like(URL, %vulnerabledomain%), 1, 0)

Then, filter to match=1 and do your join on match. Or, you may not even need to perform a join, and can run stats, etc. off the calculated field.

Reply
Solved! Jump to solution

DavidHourani
Super Champion
‎04-10-2015 04:40 AM

Here we are supposing that the same event contains both fields ? The two fields I wish to match are in different events so I have to join those 2 events based on whether a part of the key matches in both of them

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎03-23-2015 10:58 AM

Joins are expensive and should be avoided (if there are alternatives).

If your indexB has fewer records (<1000 for example) you can try following

index=indexA sourcetype=sourcetypeA [search index=indexB sourcetype=sourcetypeB | stats count by value | table value | eval webpage="*".value."*" | table webpage ]
Reply
Solved! Jump to solution

DavidHourani
Super Champion
‎03-24-2015 06:17 AM

Thank you for your reply... I was hoping I could avoid lookups to do this.. what do you think ? would it be possible to output the useful fields from the smaller index into CSV then use them a lookup ? if so how would I handle the "*".value."*" ?

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...