Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

lookup the fields in a different index

goringop
Explorer
‎08-25-2020 04:39 AM

I have a splunk query in paloalto data (index=idx_paloalto) something like this:

index=idx_paloalto sourcetype=pan:traffic app:subcategory=encrypted-tunnel OR app:subcategory=gaming OR app:subcategory=proxy OR app:subcategory=remote-access NOT(application=ssl OR app:subcategory=storage-backup OR app:subcategory=email)
| search action=allowed bytes>=10000000
| eval user=mvindex(split(user,"\\"),-1)
| table app:subcategory generated_time user src_ip application src_zone dest_zone action bytes_in bytes_out bytes
| sort 0 -bytes

result:

app:subcategorygenerated_timeusernamesrc_ipapplicationsrc_zonedest_zoneactionbytes_inbytes_outbytes
encrypted-tunnel8/25/2020 11:19user12310.24.144.81sshGDC-ENETENETallowed36499148121671572953817072107
encrypted-tunnel8/25/2020 6:16user54610.21.132.48sshSVS-InSVS-Inallowed259262655871766260134421

 

Then another query in Active Directory data (index=idx_ms_ad) something like this:

index=idx_msad sourcetype=ActiveDirectory
| eval username = sAMAccountName
| dedup username
| table username displayName mail
| sort -username

result:

usernamedisplayNamemail
user123Tommy Leetommy.lee@domain.com
user546Richard Whiterichard.white@domain.com

 

What I need is to lookup the username from  index  ms_ad and get additional details like the displayname and mail to my paloalto query getting a result something like this:

app:subcategorygenerated_timeusernamedisplayNamemailsrc_ipapplicationsrc_zonedest_zoneactionbytes_inbytes_outbytes
encrypted-tunnel8/25/2020 11:19user123Tommy Leetommy.lee@domain.com10.24.144.81sshGDC-ENETENETallowed36499148121671572953817072107
encrypted-tunnel8/25/2020 6:16user546Richard Whiterichard.white@domain.com10.21.132.48sshSVS-InSVS-Inallowed259262655871766260134421
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-25-2020 06:33 AM

Have you tried combining the two searches into a single query?

index=idx_paloalto sourcetype=pan:traffic app:subcategory=encrypted-tunnel OR app:subcategory=gaming OR app:subcategory=proxy OR app:subcategory=remote-access NOT(application=ssl OR app:subcategory=storage-backup OR app:subcategory=email)
| search action=allowed bytes>=10000000
| eval username=mvindex(split(user,"\\"),-1)
| fields app:subcategory generated_time username src_ip application src_zone dest_zone action bytes_in bytes_out bytes
| append [ index=idx_msad sourcetype=ActiveDirectory
| eval username = sAMAccountName
| dedup username
| fields username displayName mail ]
| stats values(*) as * by username
| sort - bytes
| table app:subcategory generated_time username displayName mail src_ip application src_zone dest_zone action bytes_in bytes_out bytes
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...