Hello Splunkers, I'm new to Splunk and I'm stuck; I'm getting more data than I'm supposed to. Users are showing up when they shouldn't, and vice versa. The purpose of the query is to determine which...
See more...
Hello Splunkers, I'm new to Splunk and I'm stuck; I'm getting more data than I'm supposed to. Users are showing up when they shouldn't, and vice versa. The purpose of the query is to determine which users are accessing the bastion with the tag=1 from the "index2" index. However, there's no information on the users. That's why I'm fetching user data from the "index1" index by performing a join on the IP address. The ultimate goal is to display the results in the following format: Users - IP - _time. It's important to note that IP addresses are dynamic.
When I run this command, it returns 1000 lines: `index="index2" tag=1 | table srcip, _time`
However, when I run this command, I get a lot more (11000), even though I'm supposed to have the same number since I'm just fetching users from the other index, but I'm not supposed to have any additional lines:
index="index1" | search Users =* AND IP=*
| fields Users, IP, _time
| where NOT match(Users, "^AAA-[0-9]{5}\$")
| eval IP=if(match(IP, "^::ffff:"), replace(IP, "^::ffff:(\d+\.\d+\.\d+\.\d+)$", "\1"), IP)
| eval ip=IP
| table Users, ip, _time
| join type=inner ip
[ search index="index2" tag=1 | fields srcip, _time | eval ip=srcip | table ip, _time]
| table Users, ip, _time
Does anyone have a solution?