https://community.splunk.com/t5/Getting-Data-In/Identifying-an-asset-over-multiple-sourcetype-events/m-p/127160#M26162 <P>Either do a join or try map search -</P> <P>1) index=idx1 sourcetype=sourcetype1 | table _time IP | rename _time as time 1 | join IP [ search index=idx2 sourcetype=sourcetype2 | table _time IP | rename _time as time2 ] | eval diff=abs(time1 - time2) | search diff &lt; 3600</P> <P>2) index=idx1 sourcetype=sourcetype1 | table _time IP | rename _time as time1 | map search=" index=idx2 sourcetype=sourcetype2 IP=$IP$ | table _time IP | rename _time as time2 | eval diff=abs($time1$ - time2) | search diff &lt; 3600 "</P> Tue, 26 May 2015 05:18:41 GMT dineshraj9 2015-05-26T05:18:41Z https://community.splunk.com/t5/Getting-Data-In/Identifying-an-asset-over-multiple-sourcetype-events/m-p/127159#M26161 <P>Hi Splunk Answers,<BR /> First post here, go easy on me!<BR /> We're running Splunk ES and I would like to create a correlation search. The criteria is:<BR /> If an IDS event is received for an internal IP (I could specify a range of required) (first sourcetype) and that same IP has recieved a malware alert within an hour of the IDS event (second sourcetype), then create a notable event.</P> <P>Any clues as to what my syntax would be for this?</P> <P>Cheers</P> Tue, 26 May 2015 02:46:50 GMT https://community.splunk.com/t5/Getting-Data-In/Identifying-an-asset-over-multiple-sourcetype-events/m-p/127159#M26161 shiftey 2015-05-26T02:46:50Z https://community.splunk.com/t5/Getting-Data-In/Identifying-an-asset-over-multiple-sourcetype-events/m-p/127160#M26162 <P>Either do a join or try map search -</P> <P>1) index=idx1 sourcetype=sourcetype1 | table _time IP | rename _time as time 1 | join IP [ search index=idx2 sourcetype=sourcetype2 | table _time IP | rename _time as time2 ] | eval diff=abs(time1 - time2) | search diff &lt; 3600</P> <P>2) index=idx1 sourcetype=sourcetype1 | table _time IP | rename _time as time1 | map search=" index=idx2 sourcetype=sourcetype2 IP=$IP$ | table _time IP | rename _time as time2 | eval diff=abs($time1$ - time2) | search diff &lt; 3600 "</P> Tue, 26 May 2015 05:18:41 GMT https://community.splunk.com/t5/Getting-Data-In/Identifying-an-asset-over-multiple-sourcetype-events/m-p/127160#M26162 dineshraj9 2015-05-26T05:18:41Z https://community.splunk.com/t5/Getting-Data-In/Identifying-an-asset-over-multiple-sourcetype-events/m-p/127161#M26163 <P>Thanks for your response dineshraj9</P> <P>In my case I dont have a "_time" field.<BR /> Time is broken down with the fields below, with example values<BR /> How can I eval time while considering the date also?</P> <P>date_hour = 15<BR /> date_mday = 25<BR /> date_minute = 36<BR /> date_month = may<BR /> date_second = 28<BR /> date_wday = monday<BR /> date_year = 2015<BR /> date_zone = 0<BR /> timestartpos = 24<BR /> timeendpos = 0</P> Mon, 28 Sep 2020 20:03:13 GMT https://community.splunk.com/t5/Getting-Data-In/Identifying-an-asset-over-multiple-sourcetype-events/m-p/127161#M26163 shiftey 2020-09-28T20:03:13Z https://community.splunk.com/t5/Getting-Data-In/Identifying-an-asset-over-multiple-sourcetype-events/m-p/127162#M26164 <P>_time is an internal field and it won't show up on the left. _time would in epoch form. So at the end just process the time1 and time2 fields.</P> <P>1) index=idx1 sourcetype=sourcetype1 | table _time IP | rename _time as time 1 | join IP [ search index=idx2 sourcetype=sourcetype2 | table _time IP | rename _time as time2 ] | eval diff=abs(time1 - time2) | search diff &lt; 3600 | convert ctime(time1) as time1 | convert ctime(time1) as time2</P> <P>2) index=idx1 sourcetype=sourcetype1 | table _time IP | rename _time as time1 | map search=" index=idx2 sourcetype=sourcetype2 IP=$IP$ | table _time IP | rename _time as time2 | eval diff=abs($time1$ - time2) | search diff &lt; 3600 " | convert ctime(time1) as time1 | convert ctime(time1) as time2</P> Tue, 26 May 2015 10:01:36 GMT https://community.splunk.com/t5/Getting-Data-In/Identifying-an-asset-over-multiple-sourcetype-events/m-p/127162#M26164 dineshraj9 2015-05-26T10:01:36Z https://community.splunk.com/t5/Getting-Data-In/Identifying-an-asset-over-multiple-sourcetype-events/m-p/127163#M26165 <P>Thanks for that,</P> <P>I am seeing results, what I am seeing is table headers:</P> <P>time1 IP diff time2</P> <P>time1 appears to show date and time for first sourcetype event and ip shows ip. time2 field is blank and diff shows a value which I think is in seconds? How would I show the associated event description with each sourcetype, just a case of adding to the table?</P> <P>eg. sourcetype1=ids, sourcetype2=malware, how could I see the associated event description of each source type..</P> <P>Hope that makes sense <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Tue, 26 May 2015 23:54:36 GMT https://community.splunk.com/t5/Getting-Data-In/Identifying-an-asset-over-multiple-sourcetype-events/m-p/127163#M26165 shiftey 2015-05-26T23:54:36Z https://community.splunk.com/t5/Getting-Data-In/Identifying-an-asset-over-multiple-sourcetype-events/m-p/127164#M26166 <P>Hi @shiftey and @dineshraj9</P> <P>Please be sure that when responding to someone's answer, click on "Add comment" directly below their answer or, if responding to someone's comment, type in the "Add your comment..." box directly below their comment. You typed your responses to each other in the "Enter your answer here..." box at the very bottom of the page which, instead, posts a brand new answer when it was really meant as a comment. This will help with a clean continuous flow of the conversation. I already converted your "answers" to a comments appropriately, so just something to keep in mind from here on out. Thanks and happy Splunking!</P> Wed, 27 May 2015 00:42:54 GMT https://community.splunk.com/t5/Getting-Data-In/Identifying-an-asset-over-multiple-sourcetype-events/m-p/127164#M26166 ppablo 2015-05-27T00:42:54Z https://community.splunk.com/t5/Getting-Data-In/Identifying-an-asset-over-multiple-sourcetype-events/m-p/127165#M26167 <P>My Apologies.. there was typo in my previous post. It should be | convert ctime(time2) as time2(had given time1)</P> <P>Use the _raw field to show the entire event. You can also give any other extracted fields from the events.</P> <P>1) index=idx1 sourcetype=sourcetype1 | table _time IP _raw | rename _time as time 1,_raw as event1 | join IP [ search index=idx2 sourcetype=sourcetype2 | table _time IP _raw | rename _time as time2,_raw as event2 ] | eval diff=abs(time1 - time2) | search diff &lt; 3600 | convert ctime(time1) as time1 | convert ctime(time2) as time2</P> <P>2) index=idx1 sourcetype=sourcetype1 | table _time IP _raw | rename _time as time1,_raw as event1 | map search=" index=idx2 sourcetype=sourcetype2 IP=$IP$ | table _time IP _raw | rename _time as time2,_raw as event2 | eval diff=abs($time1$ - time2) | search diff &lt; 3600 " | convert ctime(time1) as time1 | convert ctime(time2) as time2</P> Mon, 28 Sep 2020 20:03:21 GMT https://community.splunk.com/t5/Getting-Data-In/Identifying-an-asset-over-multiple-sourcetype-events/m-p/127165#M26167 dineshraj9 2020-09-28T20:03:21Z