I am looking for a way to compare data from multiple inputlookup csv's. Each CSV has the same exact set of fieldnames (IP, Host, Title). I know that I can list all the data from one csv by running: | inputlookup table1.csv but I would like to search multiple table's at once and compare the results from specific fields. Is this possible in Splunk? I imagine it's doable using a subsearch but I haven't had much luck. Things like: | inputlookup table1.csv [ | inputlookup table2.csv ] doesn't seem to work. Anyone have any thoughts on this? Thanks in advance! ... View more

I am trying to correlate the field src_IP between all my IDS alerts (sourcetype=estreamer) and OSINT data I am pulling from a custom script. The OSINT script scrapes websites for known bad attacker IP addresses and I would like to know if any of the src_IP's from my IDS alerts match any of the src_IP's from the OSINT data. I was looking at subsearches, which seems to be the best way to correlate across different data sets, but I am not having much luck with the syntax. What I tried was something like this: sourcetype=estreamer | sourcetype=osint | top limit 100 src_IP | table src_IP Which I thought should compare the two src_IP fields from each sourcetype and only show the matching results. Am I headed in the right direction? Any help would be great! ... View more