Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Need help with combining two searches

neeltiwari
Observer
‎01-10-2022 02:40 AM

Hello Team,

How can I combine given below two searches and get the AWS instance name .

aws-description-resource( (aws_account_id="*") , (region="*") , "ec2_instances")
| search (private_ip_address="172.20.187.54")

index=c3d_security host=ip-172-23* rule=corp_deny_all_to_untrust NOT dest_port=4431 | table src_ip dest_ip transport dest_port application

Note: I am getting the output as sr_ip , dest_ip , transport dest_port and application so how can I combine these two searches and add the AWS instance name as table.

 

Regards,

Neelesh Tiwari

Labels (1)
Labels
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎01-10-2022 03:28 AM

Hi

you are needing one or more common fields which has same values on both queries. After that you can combine those together e.g. with stats (or append or even join).

Here are some instructions how you can do it.

r. Ismo

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...