Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Need Assistance combining 2 searches from different indexes

cburgman
Path Finder
‎08-16-2017 06:51 AM

I am trying to piece together a search that shows all allowed connections that originate from our web proxies and pass through our perimeter firewalls on ports that are not 80 and 443.

Here is the search I have so far that doesnt seem to be showing the data correctly:

index=*firewall action=allowed (src_ip=10.x.x.x OR src_ip=10.x.x.x OR src_ip=10.x.x.x OR src_ip=10.x.x.x OR src_ip=10.x.x.x) AND (dest_port!=80 AND dest_port!=443) AND (dest_ip!=192.x.x.x/20 AND dest_ip!=205.x.x.x/19) 
| append [search index=*proxy action=allowed (port!=80 AND port!=443) | rename port AS dest_port | table action,dest_ip, dest_port, dest] 
| stats dc(dest_ip) by dest_ip, dest_port, dest, action, index
| sort -dest_port, dest_ip
| table index,action,dest_ip, dest_port, dest

Here is what I am wanting to see:

1. Action   Dest_IP    Dest_Port   Dest(Domain) 
   Allowed  175.x.x.x  9009        anydomain.com

The action, dest_ip and dest_port appear in the firewall index
The action, dest_ip, port (renamed to dest_port in search) and dest appear in the proxy index.

0 Karma
Reply

cburgman
Path Finder
‎08-16-2017 10:23 AM

This search is returning results but not confident this is the best path and still need to validate the data is good.

(index=*proxy action=allowed (host=Proxy0* OR host=AnotherProxy*) AND (port!=80 AND port!=443)) OR (index=*firewall action=allowed (src_ip=10.x.x.x OR src_ip=10.x.x.x) AND (dest_port!=80 AND dest_port!=443) AND (dest_ip!=192.x.x.x/20 AND dest_ip!=205.x.x.x/19)) 
| rename port AS dest_port
| stats dc(dest_ip) by dest_ip, dest_port, action, dest, url
| dedup dest
| sort -dest_port, dest_ip
| table action,dest_ip, dest_port, dest, url

Edit: typo

0 Karma
Reply

DalJeanis
Legend
‎08-16-2017 08:53 AM

You do not, at the current point, have any information linking the data in the two indexes. Are these two parts of a single transaction (list all the firewall events together with their related proxy events) , or are they separate items that you are putting together (list all the firewall events, list all the proxy events).

0 Karma
Reply

cburgman
Path Finder
‎08-16-2017 09:41 AM

I am wanting to list all firewall events and their related proxy events. Matching the destination ip from the firewall to the destination ip from the proxy and showing the associated web site.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...