cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
chr1s
Engager
Member since: ‎03-10-2020
‎07-21-2023
Community Statistics
Posts 6
Solutions 0
Karma Given 1
Karma Received 0
Member Since ‎03-10-2020
Activity Feed
View All

Re: Running search on 2 indexes using lookup table

by in Splunk Search
‎07-21-2023 01:57 AM
‎07-21-2023 01:57 AM
Hi @gcusello  There are differences in both indexes. Only src and src_ip are similar fields. Does both indexes need to have the same fields for this syntax to work correctly?  ... View more

Re: Running search on 2 indexes using lookup table

by in Splunk Search
‎07-20-2023 06:13 AM
‎07-20-2023 06:13 AM
Hi @gcusello  The only fields that are similar in index1 & index2 are: src and src_ip The fields required in index1: 'src' or 'src_ip' and 'domain' The fields required in Index2: 'src' or 'src_ip' and 'user' Is there a way to create a variable from the index1 search and later to use it in the index2 search to get the username field? ... View more

Re: Running search on 2 indexes using lookup table

by in Splunk Search
‎07-20-2023 12:13 AM
‎07-20-2023 12:13 AM
Hi @gcusello  The syntax I have now is looking ok except the user field is not populated. The src or src_ip field needs to search index2 and a manual search returns many results. I assume that this is causing the user field not to populate?  index=index1 domain=* OR index=index2 | lookup weblist.csv domain AS domain OUTPUT domain AS domain | where isnotnull(domain) | eval src=coalesce(src,src_ip) | stats earliest(_time) As _time values(user) AS user values(domain) AS domain BY src | table _time domain src user   ... View more

Re: Running search on 2 indexes using lookup table

by in Splunk Search
‎07-19-2023 06:14 AM
‎07-19-2023 06:14 AM
Hi @gcusello  Thank you for helping. The 2 common fields in both indexes is 'src_ip' Index1 fields I need to use: src or src_ip, domain Index2 fields I need to use: src_ip, user domain field is only present in Index1. Hope this helps.  ... View more

Running search on 2 indexes using lookup table

by in Splunk Search
‎07-19-2023 05:20 AM
‎07-19-2023 05:20 AM
Grateful if anyone can help or guide me in the right direction. I am running a search against a lookup table. The output is a list of websites that were accessed. The website and source address are in index1. I want to use the source address to search in index2 to locate the user assigned to that IP address.  Matching is working well and I am stuck how to proceed with the 2nd search query.     index=index1 domain=* OR index=index2 | lookup weblist.csv domain AS domain OUTPUT domain AS MATCHED | where isnotnull(MATCHED) | table _time, MATCHED, src, user     In Index2, src_ip and user fields exist.   ... View more
Labels

Re: ThreatHunting app (by Olaf Hartong) Red Triang...

by in All Apps and Add-ons
‎03-10-2020 01:19 AM
‎03-10-2020 01:19 AM
Thank you this solved the issue. Several posts on this issue and this was the clearest solution ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎07-21-2023 09:03 AM
Karma given to
View All