Splunk Search

Searching and matching from two different indexes and retrieving values from one index

cald0002
New Member

I have two indexes that contain the same ip address but only one index contains hostnames for the ip addresses. How can I search and match the ip addresses from both indexes in the same query and table out each ip address with their corresponding hostname?

Tags (1)
0 Karma

MuS
Legend

Hi cald0002,

Give this a try:

(SPL to get events from index 1) OR (SPL to get events from index 2)
| stats values(hostname) AS hostname by ip

You might need to adapt the query to match the hostname and ip fields according to your events.

hope this helps ...

cheers, MuS

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...