Splunk Search

Use result of set intersect for another command

catalinberbece
New Member

Hello,

I am trying to use the result of an intersect to further search in one of the indexes.
| set intersect
[search index=A something...
|table IP]
[search index=B something...
| table IP]
///at this point I have a table of common IPs between the two indexes. Now I want to add to that table another field which is only present in the index=B, so the final result will look like:

IP                      Description
x.x.x.x                  something1
y.y.y.y                  something2

Both IP and Description are extracted fields.

Tags (3)
0 Karma

catalinberbece
New Member

I've just tried both solutions but neither works. I want to mention that for one index the IP is named "clientIP" while for the other index is named "IP_ADDRESS". Also, the description field is present only on the index where IP is named "clientIP".

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

Updated the answer, please try and lets know

Happy Splunking!
0 Karma

renjith_nair
SplunkTrust
SplunkTrust

Hi @catalinberbece,

Try this,
EDITED as per the new requirement.

(index=A OR index=B) |rename IP_ADDRESS as clientIP |stats dc(index) as dcIndex, values(Description) as Description by clientIP|where dcIndex >1
Happy Splunking!

somesoni2
SplunkTrust
SplunkTrust

Try this

index=B [search index=A something...
|table IP]
|  table IP Description
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...