Greetings, I'm looking to craft a correlation that allows me to compare the results between two separate searches. Here's the use case: I have 2 indexes, one containing Threat Intelligence data (including domain names to be specific for this case). While the other index holds all DNS requests. I'm looking to craft a Splunk correlation that reads each domain within the DNS requests, which then compares each of those domains to the Threat Intelligence data and see if there's any matches. For instance, maybe something along the lines of the logic below: index=Threat_Intelligence | table DomainName | where DomainName IN [search index=DNS | table RequestedDomain] FYI: The latest Threat Intelligence feeds are pulled every single morning and is updated within Splunk. I thought about using lookup tables or KV Store lookups, but we're pulling in several files each morning, 2 of which are close to 1GB in size. It looks like Splunk Cloud caps the event limit of these lookups to 10,000 events by default, and I've read to be cautious about increasing this limit.
... View more