Reputation: 1
Join 2 searches on Splunk
I have a table that refers to our threat intelligence IoC, and a table that refers to the company user logins.
I want to find the logins that come from an Ip address contained in our IoC list.
i tried with
"o365_management_activity" AND Operation=UserLoggedIn
| table user, src_ip
| rename src_ip AS event.indicator
| join event.indicator [search (index="threatstream_summary") (sourcetype="stash")
| table event.indicator]
but i cannot find any result (even if i remove "AND Operation=UserLoggedIn").
What am i missing?
thank you for helping
i tried a lot of query and read a lot, but no results
Upvotes: 0
Views: 997
Answers (1)
Reputation: 9926
One thing that is missing is an index name in the base search. Without it, Splunk will only read your default indexes (if you have any defined), which may not contain the data you seek.
Try to avoid the join command since it does not perform well. Try append, instead. How Splunk interprets field names with dots can be problematic so consider using src_ip instead of event.indicator.
index=foo "o365_management_activity" AND Operation=UserLoggedIn
| fields user, src_ip
| append [search index=threatstream_summary sourcetype=stash
| rename "event.indicator" as src_ip
| table src_ip ]
| stats values(*) as * by src_ip
Upvotes: 0
Related Questions
- Splunk records join on transaction-id
- How to aggregate or join two JSON datasets in Splunk?
- Join two Splunk queries without predefined fields
- Splunk Streamlined search for specific fields only
- Splunk : Join two indexes based on substring match
- splunk join 2 search queries
- Splunk how to combine two queries and get one answer
- Splunk lookuptable
- SPLUNK subsearch 2 CSV Files join together
- joining 2 different searches in splunk