Splunk Search

search field from 1 index to other index field

shashilendra
Explorer

Hi ,

i have a index "otx"  and having field "indicator"  so i want to trigger alert if any IP address from "indicator" match to my ASA firewall logs where "dest_ip"  is field in ASA logs.  i am trying belong query.

index=asa | join dest_ip [search sourcetype="otx:indicator" type=IPV4 | fields indicator | rename indicator as dest_ip]

Thanks

shashi

Labels (2)
0 Karma
1 Solution

scelikok
SplunkTrust
SplunkTrust

Hi @shashilendra,

Please try below, result should show timestamp of the last asa events with src_ip values for matching dest_ip.

 

((index=otx sourcetype=otx:indicator type=IPV4) OR index=*asa*)
| eval indicator=coalesce(indicator,dest_ip)
| eval asa_time=if(index=="*asa*",_time,0)
| stats dc(index) as idx_count max(asa_time) as _time values(src_ip) as src_ip by indicator
| where idx_count > 1
| table _time src_ip indicator

 

If this reply helps you an upvote appreciated.

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

to4kawa
Ultra Champion

(sourcetype="otx:indicator" type=IPV4) OR (index=*asa* sorceytpe="cisco:asa" dest_ip=*)
| eval ip=coalesce(indicator,dest_ip)
| stats min(_time) as first_time max(_time) last_time range(_time) as durtion values(title) as title by ip
| convert ctime(first_time) ctime(last_time)
| search title=*

 

0 Karma

scelikok
SplunkTrust
SplunkTrust

Hi @shashilendra,

Please try below, result should show timestamp of the last asa events with src_ip values for matching dest_ip.

 

((index=otx sourcetype=otx:indicator type=IPV4) OR index=*asa*)
| eval indicator=coalesce(indicator,dest_ip)
| eval asa_time=if(index=="*asa*",_time,0)
| stats dc(index) as idx_count max(asa_time) as _time values(src_ip) as src_ip by indicator
| where idx_count > 1
| table _time src_ip indicator

 

If this reply helps you an upvote appreciated.

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.

scelikok
SplunkTrust
SplunkTrust

Hi @shashilendra,

Sorry, where command was wrong on my search, please try below;

((index=otx sourcetype=otx:indicator type=IPV4) OR index=*asa*)
| eval indicator=coalesce(indicator,dest_ip)
| stats dc(index) as idx_count max(_time) as _time by indicator
| where idx_count > 1
| table _time indicator
If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma

shashilendra
Explorer

output.PNG

Hi ,

i can see the matching IP address from both index , but i want to know which source IP address  Triger  this traffic and at what time . in ASA log "src_ip" field contain the source IP address. 

i will create a alert which contain time src ip , dest_ip/indicator 

0 Karma

scelikok
SplunkTrust
SplunkTrust

Hi @shashilendra,

Please try below, you can adapt to your need;

((index=otx sourcetype=otx:indicator) OR index=asa)
| eval indicator=coalesce(indicator,dest_ip)
| stats dc(index) max(_time) as _time by indicator
| where indicator > 1
| table _time indicator

 

If this reply helps you an upvote is appreciated.

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma

shashilendra
Explorer
 
 

Hi ,

i tried your query but no result , however both index having matching IP address.

dest_ip=13.66.139.23dest_ip=13.66.139.23

indicator=13.66.139.23indicator=13.66.139.23result.PNG

0 Karma

shashilendra
Explorer

Even i tried below query as well

index=asa dest_ip=* [search sourcetype="otx:indicator" type=IPV4 | fields indicator | rename indicator as dest_ip] | table dest_ip

Thanks

shashi

 

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...