Hi All,
I need help with Splunk Query for below scenario:
Query 1:
index =abc | table src, dest_name, severity, action
If it finds dest_name for any high and critical severity, it will look for computerdnsname in index xyz and there if it matches, it will display the result
Query 2:
index=xyz
Hi @nilbak88,
as @richgalloway said it's difficoult to help you with these few informations, so anyway I try to suppose your need:
Query 1:
(index =abc (severity=high OR severity=critical)) OR index=xyz
| eval dest_name=coalesce(dest_name,computerdnsname)
| stats values(src) AS src values(severity) AS severity values(action) AS action dc(index) AS dc_index BY dest_name
| where dc_index=2
| table dest_name src severity action
Ciao.
Giuseppe
Hi @nilbak88,
as @richgalloway said it's difficoult to help you with these few informations, so anyway I try to suppose your need:
Query 1:
(index =abc (severity=high OR severity=critical)) OR index=xyz
| eval dest_name=coalesce(dest_name,computerdnsname)
| stats values(src) AS src values(severity) AS severity values(action) AS action dc(index) AS dc_index BY dest_name
| where dc_index=2
| table dest_name src severity action
Ciao.
Giuseppe
thanks @gcusello .
That's what i was looking for.
However, i will get back to you on this again if needed more help
Hi @nilbak88,
good for you, see next time!
Ciao and happy splunking
Giuseppe
P.S.: Karma Points are appreciated 😉
How to merge the queries depends on what results you want displayed. Please tell us more about that.