I am writing a search that will track when the firewall sees outbound traffic over non-standard ports. I have a requirement that states if the destination ip is a known malicious domain, then the severity should be critical. Otherwise, it will be medium. I can certainly accomplish this by writing two searches (one for malicious domains, one for non-malicious domains), but was wondering if I could do it within one search.
I think you can manually set the severity field from within the correlation search (field name is "severity"). I would approach this by performing your lookup for known malicious domains and if true then set the severity to critical.
Something like might work:
...|lookup nasty_ip_list ip OUTPUT ip as nasty_ip|eval severity=if(len(nasty_ip)>0,"critical","medium")|...
You should look at the append or join command.
http://docs.splunk.com/Documentation/Splunk/6.0/SearchReference/Append
or
http://docs.splunk.com/Documentation/Splunk/6.0/SearchReference/Join
Another option would be to provide cleaned but representative search results that you want to combine.