Dear all,
I would like to compare two fields on a sequential way coming from different sourcetypes already indexed at splunk. For instance, the sourcetype 1 has the querys done by clients to the DNS. The sourcetype 2 contains a dynamic list of malicious domains. I would like to correlate both sourcetypes in order to know whether a client is trying to resolve a malicious domain. Example: sourcetype 1 (DNS) .www.facebook.com .www.google.com .www.linkedin.com .www.malicious2.com
sourcetype 2 (malicious domains) malicious1.com malicious2.com
Expected result:
malicious2.com
Thanks a lot for the support!
Cheers,