Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to verify IP addresses from 1 index to IPs of another index to resolve hostnames?

stefanstolk1987
New Member
‎12-10-2015 01:46 PM

Hello

I was hoping to find some help regarding a 2 indexes we log in Splunk.
We use BlueCoat logs to log all the TCP actions (requests).
We recently had a large number of infections that may still wander around.
We also log all the AD IP addresses to hostname.

Now I want to check 2 outputs:

index="bcoat_logs" cs_host="123.bot.net" src_ip="?????" date="?????" | table, src_ip, date
index="windows" sourcetype="dhcpsrvlogs" src_ip="?????" date="?????" | table, sAMAccountName

Because the (index) Bcoat logs only output src_ip's to dates, I want to resolve to hostname from the (index) Windows.

I hope someone can help me get started with this.

0 Karma
Reply

sundareshr
Legend
‎12-10-2015 02:43 PM

Try something like this

index="bcoat_logs" cs_host="123.bot.net" src_ip="?????" date="?????" | join src_ip [search index="windows" sourcetype="dhcpsrvlogs" | table sAMAccountName] | table sAMAccountName src_ip, date

http://docs.splunk.com/Documentation/Splunk/6.3.1511/SearchReference/Join

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

A Guide To Cloud Migration Success

As enterprises’ rapid expansion to the cloud continues, IT leaders are continuously looking for ways to focus ...