https://community.splunk.com/t5/Splunk-Search/Correlation-2-sourcetype-with-common-fields-different-name/m-p/406186#M172846 <P>Sorry for the mistake. I test again and work. I forget the rename the field.</P> <P>Thanks man.</P> Wed, 27 Feb 2019 17:31:16 GMT pgbr7 2019-02-27T17:31:16Z https://community.splunk.com/t5/Splunk-Search/Correlation-2-sourcetype-with-common-fields-different-name/m-p/406178#M172838 <P>Hello guys,</P> <P>I have 2 sourcetype, the sourcetype A have the fields [ IP , hostname , source_mac ] , the sourcetype B have the fields [ Username , mac_addres ]<BR /> I need a correlation the sourcetype A source_mac with sourcetype B mac_addres, because it's the same MAC. <BR /> Return table with fields [ Username , mac_addres, IP ,hostname ]</P> <P>I'm trying this:</P> <P><STRONG>index=main (sourcetype=A) <BR /> | fields IP , hostname , source_mac <BR /> | dedup IP , hostname , source_mac<BR /> | append <BR /> [ search sourcetype="B" <BR /> | dedup mac_addres<BR /> | fields mac_addres, Username<BR /> | eval Match=coalesce(source_mac, mac_addres)<BR /> | table Match,IP , hostname , Username</STRONG></P> <P>But don't work, return the sourcetype=A and sourcetype=B. </P> <P>Any suggestion ?</P> Tue, 29 Sep 2020 23:25:10 GMT https://community.splunk.com/t5/Splunk-Search/Correlation-2-sourcetype-with-common-fields-different-name/m-p/406178#M172838 pgbr7 2020-09-29T23:25:10Z https://community.splunk.com/t5/Splunk-Search/Correlation-2-sourcetype-with-common-fields-different-name/m-p/406179#M172839 <P>You would need to use join as mentioned by another splunker.</P> <P>|makresults |eval sourcetype="A", IP="1.2.3.4", src_mac="abcd", host="host1"<BR /> |join src_mac [|makeresults | eval sourcetype="B", user="usr1", mac_address="abcd" | rename mac_address AS src_mac]</P> Tue, 29 Sep 2020 23:25:12 GMT https://community.splunk.com/t5/Splunk-Search/Correlation-2-sourcetype-with-common-fields-different-name/m-p/406179#M172839 lakshman239 2020-09-29T23:25:12Z https://community.splunk.com/t5/Splunk-Search/Correlation-2-sourcetype-with-common-fields-different-name/m-p/406180#M172840 <P>try this if you are ok with using join </P> <P>index=main (sourcetype=A)<BR /> | fields IP , hostname , source_mac<BR /> | dedup IP , hostname , source_mac<BR /> | join source_mac<BR /> [ search sourcetype="B"<BR /> | dedup mac_addres<BR /> | rename mac_addess as source_mac<BR /> | fields source_mac, Username]<BR /> | table Match,IP , hostname , Username</P> Tue, 29 Sep 2020 23:20:45 GMT https://community.splunk.com/t5/Splunk-Search/Correlation-2-sourcetype-with-common-fields-different-name/m-p/406180#M172840 cvssravan 2020-09-29T23:20:45Z https://community.splunk.com/t5/Splunk-Search/Correlation-2-sourcetype-with-common-fields-different-name/m-p/406181#M172841 <P>In this case, In sourcetype"B" I have mac_addres, but in sourcetype="A" I don´t have . So I need <BR /> compare fields ( mac_addres and source_mac , If the Source_mac have the same mac_addres, i return the fields Sourcetype A ( IP , hostname ) and sourcetype B ( Username ) in the same table.</P> <P>index=main (sourcetype=A)<BR /> | fields IP , hostname , source_mac<BR /> | dedup IP , hostname , source_mac<BR /> | join source_mac<BR /> [ search sourcetype="B"<BR /> | dedup mac_addres<BR /> | rename mac_addess as source_mac<BR /> | fields source_mac, Username]<BR /> | table Match,IP , hostname , Username</P> <P>In this case:<BR /> index=main (sourcetype=A OR sourcetype=B) <BR /> | fields IP , hostname , source_mac , mac_address, Username<BR /> | search (mac_address == source_mac)<BR /> |table IP, hostname, source_mac, Username</P> <P>Don´t work.</P> <P>Thanks guys.</P> Tue, 29 Sep 2020 23:25:41 GMT https://community.splunk.com/t5/Splunk-Search/Correlation-2-sourcetype-with-common-fields-different-name/m-p/406181#M172841 pgbr7 2020-09-29T23:25:41Z https://community.splunk.com/t5/Splunk-Search/Correlation-2-sourcetype-with-common-fields-different-name/m-p/406182#M172842 <P>Don´t work, Thanks.</P> Mon, 25 Feb 2019 14:06:50 GMT https://community.splunk.com/t5/Splunk-Search/Correlation-2-sourcetype-with-common-fields-different-name/m-p/406182#M172842 pgbr7 2019-02-25T14:06:50Z https://community.splunk.com/t5/Splunk-Search/Correlation-2-sourcetype-with-common-fields-different-name/m-p/406183#M172843 <P>The entries for each sourcetype would come in their own rows in the results, so doing <CODE>search (mac_address == source_mac)</CODE> will never work. Also <CODE>search</CODE> cannot be used to compare fields, you need to use <CODE>where</CODE> for that.</P> Mon, 25 Feb 2019 14:20:13 GMT https://community.splunk.com/t5/Splunk-Search/Correlation-2-sourcetype-with-common-fields-different-name/m-p/406183#M172843 FrankVl 2019-02-25T14:20:13Z https://community.splunk.com/t5/Splunk-Search/Correlation-2-sourcetype-with-common-fields-different-name/m-p/406184#M172844 <P>Thx FrankVI</P> Mon, 25 Feb 2019 14:41:46 GMT https://community.splunk.com/t5/Splunk-Search/Correlation-2-sourcetype-with-common-fields-different-name/m-p/406184#M172844 lakshman239 2019-02-25T14:41:46Z https://community.splunk.com/t5/Splunk-Search/Correlation-2-sourcetype-with-common-fields-different-name/m-p/406185#M172845 <P>As you don't have source_mac in both source types, we are renaming mac_address in source type B to source_mac to facilitate join with source type A. Not sure why it didn't work. </P> Tue, 29 Sep 2020 23:26:14 GMT https://community.splunk.com/t5/Splunk-Search/Correlation-2-sourcetype-with-common-fields-different-name/m-p/406185#M172845 cvssravan 2020-09-29T23:26:14Z https://community.splunk.com/t5/Splunk-Search/Correlation-2-sourcetype-with-common-fields-different-name/m-p/406186#M172846 <P>Sorry for the mistake. I test again and work. I forget the rename the field.</P> <P>Thanks man.</P> Wed, 27 Feb 2019 17:31:16 GMT https://community.splunk.com/t5/Splunk-Search/Correlation-2-sourcetype-with-common-fields-different-name/m-p/406186#M172846 pgbr7 2019-02-27T17:31:16Z