topic Re: Pull Different Fields from another Sourcetype in Splunk Search

Pull Different Fields from another Sourcetype

itsmevic — Fri, 28 Feb 2020 23:03:01 GMT

I'm having to search across two indexes and am looking for a particular string of text, called "sampletext"

Example:
index=sso sourcetype="ping*" "my sampletext here"

Now, I would also like to search the sourecetype=Active Directory for two of its fields as I would like to include Active Directories department and description fields to my query:

Example:
index=msad sourcetype=ActiveDirectory department=* description=*

The problem is it's not pulling the Active Directory fields because I am searching for a particular string of text "sampletext" and it's only pulling back the fields under the sso index.

How do I pull the event data that contains the string text under index=sso AND pull the Active Directory fields, department and description under those events too? Is this possible?

Any help is greatly appreciated!

Re: Pull Different Fields from another Sourcetype

to4kawa — Fri, 28 Feb 2020 23:58:54 GMT

index=msad sourcetype=ActiveDirectory department=* description=* [ search index=sso sourcetype="ping*" "my sampletext here" 
| return $fieldname_has_sample_text]

this sub search returns only one event. If there is many events, change return option.

Re: Pull Different Fields from another Sourcetype

itsmevic — Wed, 30 Sep 2020 04:22:47 GMT

Hi to4kawa, thank you for providing your suggestion. I've adjusted the SPL a little bit and it is now looking at both indexes as well as multiple sourcetypes. I can see in the fields sidebar the fields from both indexes. I know just need to pipe it out into a report. Unfortunately, It will only pipe out "UserName and Workstation", both of which are fields that reside under the index=sso and not the index=msad.

(index="sso" sourcetype="ping*" UserName="" Workstation="" "NTLMSSP principal: DomainName= UserName") OR (index="msad" sourcetype=ActiveDirectory description="*")
| stats count by UserName,Workstation
| sort -count

I see the description and department fields in the fields sidebar but when I try and incorporate them into the |stats command, they aren't appearing.

Re: Pull Different Fields from another Sourcetype

to4kawa — Sat, 29 Feb 2020 08:18:16 GMT

I can make queries with only sample logs.
You have explained, but it is assumed that I know the log.
I basically don't know the system and logs outputs.
Does not presenting a log mean that you don't need help from someone who doesn't know the log? Then I'm useless.

Re: Pull Different Fields from another Sourcetype

nickhills — Sat, 29 Feb 2020 09:35:28 GMT

Am I missing something obvious?
would this not work?

(index=sso sourcetype="ping*") OR (index=msad sourcetype=ActiveDirectory department=* description=*)|search "my sample text"

Re: Pull Different Fields from another Sourcetype

to4kawa — Sat, 29 Feb 2020 09:49:38 GMT

Hi, @nickhillscpl
(index=sso sourcetype="ping*") OR (index=msad sourcetype=ActiveDirectory department=* description=*)| "my sample text"
up to here.

Re: Pull Different Fields from another Sourcetype

itsmevic — Tue, 03 Mar 2020 01:56:59 GMT

What I ended up doing was [search index=...] within the other index of my search and with a little tweaking and peaking was able to pull the data I needed.