- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: help with [Table values of Search 1] in Search...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a requirement where i got to see if the results of a Search1 with Index1 are available in search2 with Index2.
Search 1 --
index=fireeye sourcetype=fe_json product="Email MPS" earliest=-33d@d latest=-32d@d "alert.action"=notified "@team.telstra.com" | table alert.explanation.cnc-services.cnc-service{}.address | mvexpand alert.explanation.cnc-services.cnc-service{}.address | fields alert.explanation.cnc-services.cnc-service{}.address
Result 1 --
alert.explanation.cnc-services.cnc-service{}.address
ftp.restavracija-hongkong.si
whatismyipaddress.com
Search 2 --
index=tcif4 sourcetype=cisco:wsa:squid:inside earliest=-33d@d latest=-32d@d "whatismyipaddress.com" | stats count(cs_url_host) as cnt,values(url) as url by cs_url_host
Result 2 --
cs_url_host cnt url
cdn.whatismyipaddress.com 8 tunnel://cdn.whatismyipaddress.com:443/
whatismyipaddress.com 3 tunnel://whatismyipaddress.com:443/
But when i am mixing both the queries and trying i am not getting any output. Can anyone help.
index=tcif4 sourcetype=cisco:wsa:squid:inside earliest=-33d@d latest=-32d@d [search index=fireeye sourcetype=fe_json product="Email MPS" earliest=-33d@d latest=-32d@d "alert.action"=notified "@team.telstra.com" | table alert.explanation.cnc-services.cnc-service{}.address | mvexpand alert.explanation.cnc-services.cnc-service{}.address | fields alert.explanation.cnc-services.cnc-service{}.address] | stats count(cs_url_host) as cnt,values(url) as url by cs_url_host
(or)
index=tcif4 sourcetype=cisco:wsa:squid:inside earliest=-33d@d latest=-32d@d | search [search index=fireeye sourcetype=fe_json product="Email MPS" earliest=-33d@d latest=-32d@d "alert.action"=notified "@team.telstra.com" | table alert.explanation.cnc-services.cnc-service{}.address | mvexpand alert.explanation.cnc-services.cnc-service{}.address | fields alert.explanation.cnc-services.cnc-service{}.address]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey
Try using the return function:
index=tcif4 sourcetype=cisco:wsa:squid:inside earliest=-33d@d latest=-32d@d
[ search index=fireeye sourcetype=fe_json product="Email MPS" earliest=-33d@d latest=-32d@d "alert.action"=notified "@team.telstra.com"
| table alert.explanation.cnc-services.cnc-service{}.address
| mvexpand alert.explanation.cnc-services.cnc-service{}.address
| fields alert.explanation.cnc-services.cnc-service{}.address
| return 100 $alert.explanation.cnc-services.cnc-service{}.address ]
| stats count(cs_url_host) as cnt,values(url) as url by cs_url_host
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey
Try using the return function:
index=tcif4 sourcetype=cisco:wsa:squid:inside earliest=-33d@d latest=-32d@d
[ search index=fireeye sourcetype=fe_json product="Email MPS" earliest=-33d@d latest=-32d@d "alert.action"=notified "@team.telstra.com"
| table alert.explanation.cnc-services.cnc-service{}.address
| mvexpand alert.explanation.cnc-services.cnc-service{}.address
| fields alert.explanation.cnc-services.cnc-service{}.address
| return 100 $alert.explanation.cnc-services.cnc-service{}.address ]
| stats count(cs_url_host) as cnt,values(url) as url by cs_url_host
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Mate,
I remember trying it but dint work out the query well. Now i did.
Appreciate helping me 🙂
Splunk Custom Visualizations App End of Life
Introducing Splunk Enterprise 9.2
Adoption of RUM and APM at Splunk
