Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Joining two indexes based on a common value

shazenbroek
New Member
‎03-06-2015 04:31 AM

Hi,

I'm struggling trying to produce a query and I hope someone here can help out. What I'm trying to do is the following:

I have 2 indexes, one called "Malware" and one called "AssetData". The Malware index contains all assets that have or might have an infection, and the AssetData contains all asset data of all devices. The Malware index contains the FQDN of a device, and the AssetData contains the NETBIOS name of a device. I can replace this by using rex, to make sure both fields match.

The name of the field containing the same data is called "hostname" in the Malware index, and is called "Asset_Tag" in the other index.

I'd like to create a report/statistics table, joining data from both indexes together. The Malware index should be leading, with the AssetData index data being added to the results.

Thanks for your help!

Tags (2)
0 Karma
Reply

Runals
Motivator
‎03-06-2015 04:53 AM

As you say you can use rex to make hostname and Asset_Tag match. Once that is done you could use stats or if needed a join/append to link the data up. The issue you will probably run into though is a time base element of how often your asset data gets populated. Is that on change, every day, etc.

What I would probably do is have a daily (whatever) job run on your asset data to write/update the data to a lookup. Then use the lookup against your malware data. If the asset data has a tendency to change/be pretty fluid you could have a scheduled search run every hour (whatever) looking for malware events, enriching them with the asset data, and writing them out (aka summary index approach). This would give you time based, enriched data as you carry that data forward.

Reply

MuS
SplunkTrust
SplunkTrust
‎03-06-2015 04:41 AM

Hi shazenbroek,

without any events it is hard to answer, but take a look at this answer http://answers.splunk.com/answers/129424/how-to-compare-fields-over-multiple-sourcetypes-without-joi... to get an idea how it can be done.
Yes, you can use the examples also with two indexes.

cheers, MuS

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk, and empower your SOC to reach new heights! Duration: 1 hour  Prepare to ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...