×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
olbapito
New Member
Member since: ‎08-30-2022
‎08-31-2022
Community Statistics
Posts 2
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎08-30-2022
View All

Re: How to make two searches in the same index but...

by in Splunk Search
‎08-30-2022 10:25 AM
‎08-30-2022 10:25 AM
Hi Giuseppe, I like the way of doing that without join. i´ve notice that joins are terrible slow. The problem with the example is that it give data that I don´t need. I mean eventtype 000111 is an event which occurs very few times in a week, meanwhile event 123 occurs permanently. both events, 000111 and 123 have the srcip field, but just the event 123 have the hostname field, so I need to having found an unique 000111 event, look for a 123 event which has the same ip address on the same time (around 10 minutes) to take its hostname.  On the query suggested I´m getting ip and hostname for every event which has an 123 event. but they don´t have an 000111 event.   Thanks ... View more

How to make two searches in the same index but dif...

by in Splunk Search
‎08-30-2022 08:29 AM
‎08-30-2022 08:29 AM
Hi! I have a log like this eventtype=000111 msg=malicious srcip=11.11.22.22 eventtype=123 msg=traffic srcip=11.11.22.22 hostname=MyMachine Both lines are on the same index, would like to get something like this eventtype=000111 msg=malicious srcip=11.11.22.22 hostname=MyMachine I´ve tryied using joins, but they just could get results when indexes are different. because the initial condition of eventtype doesn´t match with the second event. this is the query which doesn´t work index=index_ logid=1122 | fields * | join srcip [search index=index_ | table hostname ] | table eventtype msg srcip hostname Can you help me? Thanks!! ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎08-31-2022 11:13 AM