Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

splunk match between different sourcetypes

kirkj
Observer
‎06-21-2024 08:08 AM

I'm trying to create a search where I take a small list of IPs from sourcetype A and compare them against a larger set of IPs in sourcetype B.  I will then make a table using fields from sourcetype B that do not exist in sourcetype A to create a more detailed look of the events involving the IP.

Is there a way to do this without using a lookup table?

index=paloalto (sourcetype=sourcetype_B OR sourcetype=sourcetype_A) 
| eval small_tmp=case(log_type="CORRELATION", src_ip)
| eval  large_tmp=case(log_type!="CORRELATION", src_ip)
| where match(small_tmp, large_tmp) 
| table field A, field B, field C

 

Labels (1)
Labels
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎06-21-2024 11:10 AM

Yes, such use cases are quite common, simple, and it is not always appropriate to use lookup table.  In fact, correlation search is the most fundamental strength of Splunk.  Meanwhile, you do want to consider whether it is appropriate to compare the two sourcetypes in the same time search period.

This said, your final table is not very illustrative for the statement "make a table using fields from sourcetype B that do not exist in sourcetype A" because IP is nowhere in that table.  Mind-reading 1: I will insert src_ip into the table.  More critically, you did not illustrate what you mean exactly by "compare (IPs from sourcetype A) against a larger set of IPs".  In the end result, do you want to list IPs in sourcetype B that do not exist in sourcetype A?  Mind-reading 2: I will assume no on this.

index=paloalto (sourcetype=sourcetype_B OR sourcetype=sourcetype_A) 
| stats values(field_A) as field_A values(field_B) as field_B values(field_C) as field_C values(sourcetype) as sourcetype by src_ip
| where sourcetype == sourcetype_A
| fields - sourcetype

Here, the filter uses a side effect of Splunk's equality comparator on multivalue fields. (There are more semantically expressive alternatives but most people just use this shortcut.)

0 Karma
Reply

kirkj
Observer
‎06-21-2024 11:36 AM

Okay let me back up.  One sourcetype contains the correlation logs with src_ip as it's primary identifier.  the other sourcetype is our threat logs where we see far more data about destination, url, app, etc.  I want to create a search that takes the IPs from the correlation logs and looks for the same src_ip in the threat logs within a range of 1-2 hours and returns a detailed table describing what could have caused the correlation event to be created.

Is this possible to do without using an outputlookup?  

Also this index has a datamodel that I could leverage where nodenames are log.threat and log.correlation

 

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎06-21-2024 09:33 PM

Have you tried the search I suggested?  That does exactly what you are saying here, and doesn't use lookup. (I understand field_A, field_B, etc., are standins for real field names.)

0 Karma
Reply
Get Updates on the Splunk Community!

OpenTelemetry for Legacy Apps? Yes, You Can!

This article is a follow-up to my previous article posted on the OpenTelemetry Blog, "Your Critical Legacy App ...

UCC Framework: Discover Developer Toolkit for Building Technology Add-ons

The Next-Gen Toolkit for Splunk Technology Add-on Development The Universal Configuration Console (UCC) ...

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...