Index= INDEX-B sourcetype= SOURCE TYPE B source_address="192.168.1.50" Tunneling | return user_nameĮssentially, I would like to see a new column called user_name with the user name data all in one search even though they are two different indexes and sourcetypes. if its only to identify the flow, you could override host using the link I honted, so you can maintainal the knowledge objects related to the same sourcetype. The second syntax has VPN data coming into Splunk and returns user name data for a corresponding IP address: Index= INDEX-A policy_name="Policy-A" sourcetype= SOURCE TYPE A action=DROP threat_severity=CRITICAL (source_address=192.168.1* OR source_address=192.168.2* OR source_address=192.168.3* OR source_address=192.168.4*) | stats count, values(source_zone_name) as Source_Zone, values(destination_address) as Destination_Address, values(destination_port) as Destination_Port, values(attack_name) as Attack_Name, values(threat_severity) as Threat_Severity by source_address | sort -count where the message is processed by a pipeline of different steps/processes and at a certain point, a new processing. The first syntax has Firewall data coming into Splunk and gives you a table with 7 columns sorted by count: You should be able to do this by specify multiple fields in Splunks join command: sourcetypetest1 fields col1,col2 join col1,col2 search sourcetypetest2 fields col1,col2,col3 View solution in original post. This way I can know what user corresponds to a given IP address (this is all historical data by the way). Just checking back since a good amount of time is spent and now running out of time.I'm scratching my head trying to find out how to join two different indexes and two different sourcetypes together and would like to extract the user_name field data from sourcetype B into sourcetype A's table. Note: rrelationId is a json format hence used that way.Īppreciate your help and response here. | where mvcount(sourcetype)=1 AND sourcetype="app_log" | stats values(_time) as _time values(sourcetype) as sourcetype by rrelationId Index=qa_source sourcetype=app_log OR sourcetype=temp_log Source types also let you categorize your data for easier searching. It tells the platform what kind of data you have, so that it can format the data intelligently during indexing. Below is the query and could you please suggest further. The source type is one of the default fields that the Splunk platform assigns to all incoming data. results: indexbotsv1 sourcetypewineventlog table time, action, host. Though below is the query i am using based on suggestions, i am still not able to display in tabluar format with missing correlation ids, also i need to put the timestamp from a1. We will look at dedup, join, and sort in the following sections. My query has to be more generic which should accept to query for all correlation ids(*) orĪ particular corrl id(123) and has to go for a search in two index source types and has to return the list of missing ids which are in a1 but not in a2. I will get '*' which is for all correlation id in last 24 hrs or any time frame set in splunk dashboard or a particular correlation id as input from the top level text box,Ģ. This feature in Splunk is called source type. For example, if it is a log from apache web server, Splunk is able to recognize that and create appropriate fields out of the data read. Hi All, We have 2 different sourcetype master and child need to join/append the source type on identity column master.id and child.mastertableid. Either using common fields (as shown above) or some other way. Just wanted to put few more points based on my requirement, I spent lot of time but still could not follow correct steps.ġ. All the incoming data to Splunk are first judged by its inbuilt data processing unit and classified to certain data types and categories. Sourcetype 1 - Sourcetype 2 Username (acebossrhino) username LoginID ( acebossrhinor.splunk) loginname IpAddress 1.1.1.1 clientip My hope is to take the join these sourcetypes together when searching. Appreciate your quick response, Thank you!.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |