×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
kirkj
Observer
Member since: ‎09-23-2021
‎06-21-2024
Community Statistics
Posts 2
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎09-23-2021
Activity Feed
View All

Re: splunk match between different sourcetypes

by in Splunk Search
‎06-21-2024 11:36 AM
‎06-21-2024 11:36 AM
Okay let me back up.  One sourcetype contains the correlation logs with src_ip as it's primary identifier.  the other sourcetype is our threat logs where we see far more data about destination, url, app, etc.  I want to create a search that takes the IPs from the correlation logs and looks for the same src_ip in the threat logs within a range of 1-2 hours and returns a detailed table describing what could have caused the correlation event to be created. Is this possible to do without using an outputlookup?   Also this index has a datamodel that I could leverage where nodenames are log.threat and log.correlation   ... View more

splunk match between different sourcetypes

by in Splunk Search
‎06-21-2024 08:08 AM
‎06-21-2024 08:08 AM
I'm trying to create a search where I take a small list of IPs from sourcetype A and compare them against a larger set of IPs in sourcetype B.  I will then make a table using fields from sourcetype B that do not exist in sourcetype A to create a more detailed look of the events involving the IP. Is there a way to do this without using a lookup table? index=paloalto (sourcetype=sourcetype_B OR sourcetype=sourcetype_A) | eval small_tmp=case(log_type="CORRELATION", src_ip) | eval large_tmp=case(log_type!="CORRELATION", src_ip) | where match(small_tmp, large_tmp) | table field A, field B, field C   ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎06-21-2024 02:52 PM