Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Search for data in different indexes and only retu...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index=notable |rename src as ip | stats count by ip
| JOIN type=inner ip [search index="abcd" "tags.Dev:"cluster1 OR index="abcd" "tags.Dev:"=cluster2
| stats count by ip]
if ip is in notable index and cluster1 return ip AND if ip in notable index and cluster2 return ip
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index=notable OR (index="abcd" ("tags.Dev:"cluster1 OR "tags.Dev:"=cluster2))
| eval ip=coalesce(src,ip)
| stats count dc(index) as flag by ip
| where flag > 1
Hi, @jrprez1804
This query searches two indexes and tallies by each ip.
That time, it is checked the indexes where the ip belongs.
and Excludes ips that belongs one index.
How about this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index=notable OR (index="abcd" ("tags.Dev:"cluster1 OR "tags.Dev:"=cluster2))
| eval ip=coalesce(src,ip)
| stats count dc(index) as flag by ip
| where flag > 1
Hi, @jrprez1804
This query searches two indexes and tallies by each ip.
That time, it is checked the indexes where the ip belongs.
and Excludes ips that belongs one index.
How about this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hello there,
first, you can always do something like that: index=notable | stats count by src as ip_count | rename src as ip which will perform much better.
but now for your join question.
there are couple (or more) ways to achieve, but the overall idea is to first bring all the results to one place with a wider search, and then slice and dice as you wish. for example:
(index=notable src=*) OR (index="abcd" "tags.Dev:"cluster1 OR index="abcd" "tags.Dev:"=cluster2)
| eval normalized_ip = coalesce(ip,src)
| stats dc(index) as unique_indexes by normalized_ip
| where unique_indexes > 1
play around with the data after you capture all of it, and suite yourself with the approach you like. there are many ways to go about this one...
hope it helps
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If I was thinking about the explanation, I was late.
The way is the same. 🙂
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Index This | What travels the world but is also stuck in place?
Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data
Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...
