Join 2 searches on Splunk

357 Views Asked by Antonino Ciancia At 14 June 2023 at 11:02

I have a table that refers to our threat intelligence IoC, and a table that refers to the company user logins.

I want to find the logins that come from an Ip address contained in our IoC list.

i tried with

"o365_management_activity" AND Operation=UserLoggedIn
| table user, src_ip 
| rename src_ip AS event.indicator 
| join event.indicator  [search (index="threatstream_summary") (sourcetype="stash") 
  | table event.indicator]

but i cannot find any result (even if i remove "AND Operation=UserLoggedIn").

What am i missing?

thank you for helping

i tried a lot of query and read a lot, but no results

Original Q&A

There are 1 best solutions below

RichG On 14 June 2023 at 13:41

One thing that is missing is an index name in the base search. Without it, Splunk will only read your default indexes (if you have any defined), which may not contain the data you seek.

Try to avoid the join command since it does not perform well. Try append, instead. How Splunk interprets field names with dots can be problematic so consider using src_ip instead of event.indicator.

index=foo "o365_management_activity" AND Operation=UserLoggedIn
| fields user, src_ip 
| append [search index=threatstream_summary sourcetype=stash
  | rename "event.indicator" as src_ip 
  | table src_ip ]
| stats values(*) as * by src_ip

Join 2 searches on Splunk

There are 1 best solutions below

Related Questions in SPLUNK

Related Questions in SPLUNK-QUERY

Related Questions in SPL

Trending Questions

Popular # Hahtags

Popular Questions