Splunk Search

search on subsearch using data from main search results

taufiqkpi
Loves-to-Learn

hello Splunkers!
I've got an issue with this query, in "main search" I got data src, can I use "src" to get data on my "second search".
later on, the final result ignored from "main search "
anyone can help me?
thanks,

index=VPN | table src -> main search
    [search index=firewall | table src dest_ip] -> second search
    | table src dest_ip

 

Labels (2)
Tags (3)
0 Karma

scelikok
SplunkTrust
SplunkTrust

So, my search should work for you.

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma

taufiqkpi
Loves-to-Learn

Sorry this solution not solving my problem

0 Karma

scelikok
SplunkTrust
SplunkTrust

Hi @taufiqkpi,

I think you want to filter VPN sources from Firewall index, please try below;

search index=firewall NOT 
    [ index=VPN 
    | fields src] 
| table src dest_ip
If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma

taufiqkpi
Loves-to-Learn

Sory sir @scelikok, I mean from main search we get src fields.

 

index=VPN | table src

 

after this, fileds src from "main search" as search data to "second search"

 

[search src="from data main search" index=firewall | table src dest_ip]
    | table src dest_ip

 

 

Tags (3)
0 Karma
Get Updates on the Splunk Community!

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Using the Splunk Threat Research Team’s Latest Security Content

REGISTER HERE Tech Talk | Security Edition Did you know the Splunk Threat Research Team regularly releases ...