Hello,
I am using Splunk DB Connect -> DB Input to import data from a MySQL Table successfully. Rather than create additional automatic lookups/DB Lookups which will be extremely slow against this massive database, **how would I join fields that are already indexed from the DB Input to avoid additional DB Lookups?**
DB Input data I would like to join on:
`source="nessusdb"` field: `host_ip` with `source="suricata"` field `src_ip`.
I would like to take the following fields from `source="nessusdb"` and add them to a search on `source="suricata"`.
something like:
`source="suricata" msg="ET *" | table suricata_event, src_ip, nessus_vulnerability`
Sorry in advance I am not very good at SPL yet.
Thanks!
↧