×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
lemame
New Member
Member since: ‎05-10-2020
‎06-05-2020
Community Statistics
Posts 3
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎05-10-2020
View All

Re: How to find common results of a subsearch with...

by in Splunk Enterprise Security
‎05-11-2020 04:20 AM
‎05-11-2020 04:20 AM
Hello Mr. Galloway, I have slightly modified your query and it works fine. I wanna thank you for your help. Appreciate. Regards, Thomas ... View more

Re: How to find common results of a subsearch with...

by in Splunk Enterprise Security
‎05-10-2020 12:06 PM
‎05-10-2020 12:06 PM
Hello Mr. Galloway, thank you very much, but your query seems it takes into consideration always either index1name or index2name, but not both. In general, i need this query for the following: The main index must always be Index1name. so the query will check index1name and field DNS_domain. Once this first step id done, it will then check Index2name. If Index1name DNS_domain contain equals Index2name query, than query supposed to result to show IP address 2 from Index2name. If this is no clear, so I will give you a practical example. Our detection system (Index1name) detects, that internal computer hits malicious Internet site (DNS_domain). IP address of the internal computer is not present Index1name IP address 1 field and we must go to detection system 2 (Index2name), find the same malicious domain (Index2name query) as it has been in Index1name DNS_domain. Once equals, then write query result to show IP address 2 from Index2name. I appreciate your help. Regards, Thomas ... View more

How to find common results of a subsearch with the...

by in Splunk Enterprise Security
‎05-10-2020 12:47 AM
‎05-10-2020 12:47 AM
Hello, I would like to ask you for your help. I have two sources (indexes) in Splunk and need to link it together via query and receive results which IP addres hit a malicious domain. The tabs are as follow: Index1name DNS_domain IP adress 1 Index2name query IP address 2 The point of intersection (link) for both tables is: Index1name - DNS_domain Index2name - query If I run the following query, it works properly and I receive desired results which IP address 2 hit example.com. index= Index1name DNS_domain="example.com" | rename DNS_domain AS query | join query [search index= Index2name query="example.com"] …but I need to have a query, that will provide me with the same results for all such detections where the match of DNS_domain and query is in place. If I modify query above with “*”, it will not return me back any results )o: I appreciate your help. Thank you. Regards Thomas ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:03 AM