×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
lhillscu
Engager
Member since: ‎06-08-2022
‎04-06-2026
Community Statistics
Posts 6
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎06-08-2022
Activity Feed
View All

Re: Running SPL via Visual Studio Code

by in Other Usage
‎09-11-2024 10:34 AM
‎09-11-2024 10:34 AM
Did you ever figure out what the issue was? I am having the same issue with VSCode and the API, however it did work at one point earlier this year and has now stopped working. I don't know exactly when because it has not been a regular thing to use VSCode to search our Splunk Cloud. ... View more

Re: Join Two Searches on Shared Field Value

by in Splunk Search
‎02-05-2024 11:43 AM
‎02-05-2024 11:43 AM
I figured out the issue. The API fields needed to be double quoted or the reference broke. I assume it has something to do with the message being a JSON object. Outside of that minor syntax issue, your solution worked. Thank you! ... View more

Re: Join Two Searches on Shared Field Value

by in Splunk Search
‎02-05-2024 07:04 AM
‎02-05-2024 07:04 AM
It's message.id. There is a JSON object called message that has a number of fields in it. message.id gets the WAF session id value. ... View more

Re: Join Two Searches on Shared Field Value

by in Splunk Search
‎02-02-2024 10:36 AM
‎02-02-2024 10:36 AM
Apologies I took out all the extra renames to try to simplify the search since those aren't really critical to the data I'm trying to get. The fields are actually as they are named in the full search with the join. First search thus should be: index=api source=api_call | rename id as sessionID | fields apiName, message.payload, sessionID ... View more

Re: Join Two Searches on Shared Field Value

by in Splunk Search
‎02-02-2024 10:33 AM
‎02-02-2024 10:33 AM
I now get almost 2 million events, which is about all the events in the WAF log for yesterday, but no table of results. I know that yesterday there was 1 connection through the WAF which produced 6 API calls (one primary and then several downstream). So the number of lines in my table should be 6. ... View more

Join Two Searches on Shared Field Value

by in Splunk Search
‎02-02-2024 08:56 AM
‎02-02-2024 08:56 AM
I have an index that contains all the hits for our WAF and an index that contains the subsequent API call details for any of those hits that are an application calling one our APIs behind the WAF. There is a shared identifier that the WAF passes to the API call so we can link them together and see what IP, user agent string, etc. made that API call. I am trying to pull data from both indexes together into a nice table so that our devs and our security folks can see what API calls are being made, who/what is calling them, and the payloads.  API search: index=api source=api_call | rename id as sessionID | fields apiName, payload, sessionID WAF search: index=waf | fields src_ip, requestHost, requestPath, requestUserAgent, sessionID My attempt to join them on the sessionID which is not working. It returns no results. index=api source=api_call | rename message.id as sessionID | fields apiName, message.payload, sessionID | join sessionID [search index=waf | fields src_ip, requestHost, requestPath, requestUserAgent, sessionID] | table apiName, message.payload, sessionID, src_ip, requestHost, requestPath, requestUserAgent I know joins are not very performative, so I'm open to alternatives that don't use it, but I'm not sure what those would be. ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎04-06-2026 05:58 AM