https://community.splunk.com/t5/Splunk-Search/Help-with-Splunk-search-to-join-two-searches-with-common-field/m-p/554921#M157498 <P>These are all events from Splunk Nix TA add-on which&nbsp; gives var/logs top , ps&nbsp; &nbsp;etc logs . The events that I posted are all related to var/logs .</P><P>Event 1 is data related to sudo authentication success logs which&nbsp; host and user name data .Event 2 is data related to password entered and accepted for the sudo login which has host , user name the source ip and source port .</P><P>&nbsp;</P><P>I am trying to get the user who has logged into as host as sudo user ,source ip , source port .</P><P>Sample event 1 - sudo login</P><P><SPAN class="t">Jun</SPAN> <SPAN class="t">7</SPAN> <SPAN class="t">14:55:37</SPAN> <SPAN class="t">v***</SPAN> <SPAN class="t"><SPAN class="t a">sudo</SPAN>:</SPAN> <SPAN class="t">pam_sss</SPAN><SPAN>(</SPAN><SPAN class="t"><SPAN class="t a">sudo</SPAN>:auth</SPAN><SPAN>)</SPAN><SPAN class="t">:</SPAN> <SPAN class="t">authentication</SPAN> <SPAN class="t">success</SPAN><SPAN>; </SPAN><SPAN class="t">logname=lq</SPAN> <SPAN class="t">uid=5123</SPAN> <SPAN class="t">euid=0</SPAN> <SPAN class="t">tty=/dev/pts/0</SPAN> <SPAN class="t">ruser=lq</SPAN> <SPAN class="t">rhost=</SPAN> <SPAN class="t">user=lq</SPAN></P><P>&nbsp;</P><P><SPAN class="t">Sample event 2 - password accepted</SPAN></P><P><SPAN class="t">Jun&nbsp;7&nbsp;14:31:30 v*** sshd<SPAN>[</SPAN>62591<SPAN>]</SPAN>: <SPAN class="t a">Accepted</SPAN> <SPAN class="t a">password</SPAN> for lq from 10.**.*.1 port 6***5 ssh</SPAN></P> Tue, 08 Jun 2021 14:19:35 GMT vrmandadi 2021-06-08T14:19:35Z https://community.splunk.com/t5/Splunk-Search/Help-with-Splunk-search-to-join-two-searches-with-common-field/m-p/554759#M157462 <P>I am trying to&nbsp; join two searches with a common field</P><P>Event1:</P><P><SPAN class="t">Jun</SPAN> <SPAN class="t">7</SPAN> <SPAN class="t">14:55:37</SPAN> <STRONG><SPAN class="t">v3**v</SPAN></STRONG> <SPAN class="t"><SPAN class="t a">sudo</SPAN>:</SPAN> <SPAN class="t">pam_sss</SPAN><SPAN>(</SPAN><SPAN class="t"><SPAN class="t a">sudo</SPAN>:auth</SPAN><SPAN>)</SPAN><SPAN class="t">:</SPAN> <SPAN class="t">authentication</SPAN> <SPAN class="t">success</SPAN><SPAN>; </SPAN><SPAN class="t">logname=l*</SPAN> <SPAN class="t">uid=5123</SPAN> <SPAN class="t">euid=0</SPAN> <SPAN class="t">tty=/dev/pts/0</SPAN> <SPAN class="t">ruser=lab</SPAN> <SPAN class="t">rhost=</SPAN> <STRONG><SPAN class="t h"><SPAN class="t">user</SPAN>=<SPAN class="t">lab</SPAN></SPAN></STRONG></P><P>&nbsp;</P><P><SPAN class="t h"><SPAN class="t">Event2:</SPAN></SPAN></P><P><SPAN class="t h"><SPAN class="t">Jun 7 14:48:38 v3**v-adm sshd<SPAN>[</SPAN>14821<SPAN>]</SPAN>: <SPAN class="t a">Accepted</SPAN> <SPAN class="t a">password</SPAN> for lab from <STRONG>10.**.**.**</STRONG>&nbsp;port <STRONG>4***4</STRONG> ssh2</SPAN></SPAN></P><P>&nbsp;</P><P><SPAN class="t h"><SPAN class="t">I want to merge two events with common field as host which is&nbsp;v3**v in the events and output&nbsp; the host,user(lab),ip(v3**v) and port (***4)&nbsp;</SPAN></SPAN></P><P><SPAN class="t h"><SPAN class="t">Thanks in advance</SPAN></SPAN></P> Mon, 07 Jun 2021 19:21:45 GMT https://community.splunk.com/t5/Splunk-Search/Help-with-Splunk-search-to-join-two-searches-with-common-field/m-p/554759#M157462 vrmandadi 2021-06-07T19:21:45Z https://community.splunk.com/t5/Splunk-Search/Help-with-Splunk-search-to-join-two-searches-with-common-field/m-p/554779#M157464 <P>Are these events from the same index/search? Which fields do you already have extracted? Is the field with v3**v-adm always in two parts separated by "-"? Can you provide more example events?</P> Mon, 07 Jun 2021 21:05:50 GMT https://community.splunk.com/t5/Splunk-Search/Help-with-Splunk-search-to-join-two-searches-with-common-field/m-p/554779#M157464 ITWhisperer 2021-06-07T21:05:50Z https://community.splunk.com/t5/Splunk-Search/Help-with-Splunk-search-to-join-two-searches-with-common-field/m-p/554799#M157472 <P>Yes both are from same index and same source type ... Yes everything is extracted.I an trying to see what is the best way to join so that I can get the IP and port details from the second event and merge with host ,user using host as common field .</P> Tue, 08 Jun 2021 01:14:19 GMT https://community.splunk.com/t5/Splunk-Search/Help-with-Splunk-search-to-join-two-searches-with-common-field/m-p/554799#M157472 vrmandadi 2021-06-08T01:14:19Z https://community.splunk.com/t5/Splunk-Search/Help-with-Splunk-search-to-join-two-searches-with-common-field/m-p/554833#M157481 <P>If you are not going to give us more useful details, all I can suggest is you try</P><LI-CODE lang="markup">| stats values(ip) as ip values(port) as port values(user) as user by host</LI-CODE><P>&nbsp;</P> Tue, 08 Jun 2021 06:44:02 GMT https://community.splunk.com/t5/Splunk-Search/Help-with-Splunk-search-to-join-two-searches-with-common-field/m-p/554833#M157481 ITWhisperer 2021-06-08T06:44:02Z https://community.splunk.com/t5/Splunk-Search/Help-with-Splunk-search-to-join-two-searches-with-common-field/m-p/554921#M157498 <P>These are all events from Splunk Nix TA add-on which&nbsp; gives var/logs top , ps&nbsp; &nbsp;etc logs . The events that I posted are all related to var/logs .</P><P>Event 1 is data related to sudo authentication success logs which&nbsp; host and user name data .Event 2 is data related to password entered and accepted for the sudo login which has host , user name the source ip and source port .</P><P>&nbsp;</P><P>I am trying to get the user who has logged into as host as sudo user ,source ip , source port .</P><P>Sample event 1 - sudo login</P><P><SPAN class="t">Jun</SPAN> <SPAN class="t">7</SPAN> <SPAN class="t">14:55:37</SPAN> <SPAN class="t">v***</SPAN> <SPAN class="t"><SPAN class="t a">sudo</SPAN>:</SPAN> <SPAN class="t">pam_sss</SPAN><SPAN>(</SPAN><SPAN class="t"><SPAN class="t a">sudo</SPAN>:auth</SPAN><SPAN>)</SPAN><SPAN class="t">:</SPAN> <SPAN class="t">authentication</SPAN> <SPAN class="t">success</SPAN><SPAN>; </SPAN><SPAN class="t">logname=lq</SPAN> <SPAN class="t">uid=5123</SPAN> <SPAN class="t">euid=0</SPAN> <SPAN class="t">tty=/dev/pts/0</SPAN> <SPAN class="t">ruser=lq</SPAN> <SPAN class="t">rhost=</SPAN> <SPAN class="t">user=lq</SPAN></P><P>&nbsp;</P><P><SPAN class="t">Sample event 2 - password accepted</SPAN></P><P><SPAN class="t">Jun&nbsp;7&nbsp;14:31:30 v*** sshd<SPAN>[</SPAN>62591<SPAN>]</SPAN>: <SPAN class="t a">Accepted</SPAN> <SPAN class="t a">password</SPAN> for lq from 10.**.*.1 port 6***5 ssh</SPAN></P> Tue, 08 Jun 2021 14:19:35 GMT https://community.splunk.com/t5/Splunk-Search/Help-with-Splunk-search-to-join-two-searches-with-common-field/m-p/554921#M157498 vrmandadi 2021-06-08T14:19:35Z