I have a requirement where i got to see if the results of a Search1 with Index1 are available in search2 with Index2.
Search 1 --
index=fireeye sourcetype=fe_json product="Email MPS" earliest=-33d@d latest=-32d@d "alert.action"=notified "@team.telstra.com" | table alert.explanation.cnc-services.cnc-service{}.address | mvexpand alert.explanation.cnc-services.cnc-service{}.address | fields alert.explanation.cnc-services.cnc-service{}.address
Result 1 --
ftp.restavracija-hongkong.si
whatismyipaddress.com
Search 2 --
index=tcif4 sourcetype=cisco:wsa:squid:inside earliest=-33d@d latest=-32d@d "whatismyipaddress.com" | stats count(cs_url_host) as cnt,values(url) as url by cs_url_host
Result 2 --
cdn.whatismyipaddress.com 8 tunnel://cdn.whatismyipaddress.com:443/
whatismyipaddress.com 3 tunnel://whatismyipaddress.com:443/
But when i am mixing both the queries and trying i am not getting any output. Can anyone help.
index=tcif4 sourcetype=cisco:wsa:squid:inside earliest=-33d@d latest=-32d@d [search index=fireeye sourcetype=fe_json product="Email MPS" earliest=-33d@d latest=-32d@d "alert.action"=notified "@team.telstra.com" | table alert.explanation.cnc-services.cnc-service{}.address | mvexpand alert.explanation.cnc-services.cnc-service{}.address | fields alert.explanation.cnc-services.cnc-service{}.address] | stats count(cs_url_host) as cnt,values(url) as url by cs_url_host
(or)
index=tcif4 sourcetype=cisco:wsa:squid:inside earliest=-33d@d latest=-32d@d | search [search index=fireeye sourcetype=fe_json product="Email MPS" earliest=-33d@d latest=-32d@d "alert.action"=notified "@team.telstra.com" | table alert.explanation.cnc-services.cnc-service{}.address | mvexpand alert.explanation.cnc-services.cnc-service{}.address | fields alert.explanation.cnc-services.cnc-service{}.address]
Hey
Try using the return function:
index=tcif4 sourcetype=cisco:wsa:squid:inside earliest=-33d@d latest=-32d@d
[ search index=fireeye sourcetype=fe_json product="Email MPS" earliest=-33d@d latest=-32d@d "alert.action"=notified "@team.telstra.com"
| table alert.explanation.cnc-services.cnc-service{}.address
| mvexpand alert.explanation.cnc-services.cnc-service{}.address
| fields alert.explanation.cnc-services.cnc-service{}.address
| return 100 $alert.explanation.cnc-services.cnc-service{}.address ]
| stats count(cs_url_host) as cnt,values(url) as url by cs_url_host
Hey
Try using the return function:
index=tcif4 sourcetype=cisco:wsa:squid:inside earliest=-33d@d latest=-32d@d
[ search index=fireeye sourcetype=fe_json product="Email MPS" earliest=-33d@d latest=-32d@d "alert.action"=notified "@team.telstra.com"
| table alert.explanation.cnc-services.cnc-service{}.address
| mvexpand alert.explanation.cnc-services.cnc-service{}.address
| fields alert.explanation.cnc-services.cnc-service{}.address
| return 100 $alert.explanation.cnc-services.cnc-service{}.address ]
| stats count(cs_url_host) as cnt,values(url) as url by cs_url_host
Thanks Mate,
I remember trying it but dint work out the query well. Now i did.
Appreciate helping me 🙂