Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Joining two indexes based on a common value

shazenbroek
New Member
‎03-06-2015 04:31 AM

Hi,

I'm struggling trying to produce a query and I hope someone here can help out. What I'm trying to do is the following:

I have 2 indexes, one called "Malware" and one called "AssetData". The Malware index contains all assets that have or might have an infection, and the AssetData contains all asset data of all devices. The Malware index contains the FQDN of a device, and the AssetData contains the NETBIOS name of a device. I can replace this by using rex, to make sure both fields match.

The name of the field containing the same data is called "hostname" in the Malware index, and is called "Asset_Tag" in the other index.

I'd like to create a report/statistics table, joining data from both indexes together. The Malware index should be leading, with the AssetData index data being added to the results.

Thanks for your help!

Tags (2)
0 Karma
Reply

Runals
Motivator
‎03-06-2015 04:53 AM

As you say you can use rex to make hostname and Asset_Tag match. Once that is done you could use stats or if needed a join/append to link the data up. The issue you will probably run into though is a time base element of how often your asset data gets populated. Is that on change, every day, etc.

What I would probably do is have a daily (whatever) job run on your asset data to write/update the data to a lookup. Then use the lookup against your malware data. If the asset data has a tendency to change/be pretty fluid you could have a scheduled search run every hour (whatever) looking for malware events, enriching them with the asset data, and writing them out (aka summary index approach). This would give you time based, enriched data as you carry that data forward.

Reply

MuS
SplunkTrust
SplunkTrust
‎03-06-2015 04:41 AM

Hi shazenbroek,

without any events it is hard to answer, but take a look at this answer http://answers.splunk.com/answers/129424/how-to-compare-fields-over-multiple-sourcetypes-without-joi... to get an idea how it can be done.
Yes, you can use the examples also with two indexes.

cheers, MuS

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...