Hello
I was hoping to find some help regarding a 2 indexes we log in Splunk.
We use BlueCoat logs to log all the TCP actions (requests).
We recently had a large number of infections that may still wander around.
We also log all the AD IP addresses to hostname.
Now I want to check 2 outputs:
index="bcoat_logs" cs_host="123.bot.net" src_ip="?????" date="?????" | table, src_ip, date
index="windows" sourcetype="dhcpsrvlogs" src_ip="?????" date="?????" | table, sAMAccountName
Because the (index) Bcoat logs only output src_ip's to dates, I want to resolve to hostname from the (index) Windows.
I hope someone can help me get started with this.
Try something like this
index="bcoat_logs" cs_host="123.bot.net" src_ip="?????" date="?????" | join src_ip [search index="windows" sourcetype="dhcpsrvlogs" | table sAMAccountName] | table sAMAccountName src_ip, date
http://docs.splunk.com/Documentation/Splunk/6.3.1511/SearchReference/Join