Or index="seculert_records" gw_action=Allowed |rename user TO ln| join type=inner Logon_Account | dedup record_id| table time_seen, ln, Source_Workstation, category, crime_server, gw_action, src, record_idīut neither of these seems to work as the Source_Workstation is not populated where as it is for the first search but only for some records. have tried using eval ln=lower(Logon_Account) and then renaming the field to ln like so index="my_records" gw_action=Allowed |rename user TO ln| join type=inner eval (ln=lower(Logon_Account) | dedup record_id| table time_seen, ln, Source_Workstation, category, crime_server, gw_action, src, record_id Further investigation showed the Logon_Account was sometimes partly in lowercase and sometimes partly in uppercase (e.g. Is it possible to use the common field, 'host' to join the two events (from the two search results) together within 20 seconds of either event. Please let me know how to control the table output and remove all rows with onefield null values. The event time from both searches occurs within 20 seconds of each other. I am using the below query to join 2 searches, but the table is showing me duplicate rows with only commonfields and null values in onefield onefieldtow onefieldthree columns for these rows. However some checks I made suggested the join was not working correctly as running separate searches in my_records and wineventlog showed users appearing in wineventlog which didn't appear in the joined search. I have two searches which have a common field say, 'host' in two events (one from each search). I am trying to find top 5 failures that are impacting client. Joined both of them using a common field, these are production logs so I am changing names of it. So I have 2 queries, one is client logs and another server logs query. I've managed to sort this out using: index="my _records" gw_action=Allowed |rename user TO Logon_Account | join type=inner Logon_Account | table time_seen, Logon_Account, Source_Workstation, category, crime_server, gw_action, src, record_id I am writing a splunk query to find out top exceptions that are impacting client. Let me knof if assistance with Field Aliases is required. This was the fields will be normalized for easier correlation. Just for your reference, I have provided the sample data in resp. The rex command that extracts the duration field is a little off. Finally for the situation described by you, you should create Field Aliases for userid and ip fields for index A and index B respectively. I will use join to combine the first two queries as suggested by you and achieve the required output. Thanks for your help, I should have seen the field name issue! Thank you Giuseppe, you are a genius :) without even asking for the sample data you were able to provide these queries. Once I put the two field aliases in place st1 : FIELDALIAS-st1commonid st2 : FIELDALIAS-st2commonid I was able to run the below indexmyIndex sourcetypest1 field1 join commonid search indexmyIndex sourcetypest2 and get data.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |