Your search works, but my expected results are events from lookup not main index This is my lookup data asn,classification,confidence,country,date_first,date_last,detail,id,itype,lat,lon,maltype,org,resource_uri,severity,source,actor,tipreport,type,srcip,domain,md5,email,url And all event data contains a ip field and not the same name. The schedule must be All day, because any incoming event log from main index can be in lookup, and vice versa
... View more
I created a report for finding list intersection of two set A: inputlookup spam_ip (Indicator of compromise) B: index=main (event log) | inputlookup spam_ip | join srcip [ search index=main | rename ip as srcip | fields srcip ] | summaryindex spool=t uselb=t addtime=t index="threat_summary" file="RMD55f183b338b214f84_487362985.stash_new" name="matches test" marker="" and Time range : All day (because event in two sets grow daily,) after the report runs, it adds result into summary index. The problem is the result contains all event added before
... View more
when i tried this | inputlookup ts_lookup_destip [index=main | rename ip as srcip | fields srcip | format] i get Unknown search command 'index'.
... View more
it works but when i tried this | inputlookup ts_lookup_destip (index=main | rename ip as srcip | fields srcip | format) i get an error The result i want is which indicator of compromise (include all fields) is used to detect
... View more
I'm new to Splunk And I'm trying to build summary index i have KVStore and index A: inputlookup spam_ip (which is Indicator of compromise) B: index=main (which is event log) Both indexes have a field that has the same data: eg: A has a field (spam_ip), B has a field (source_ip) And populate all record in set A that the record have data field contain in set B into summary index
... View more