topic search filed values from sourcetype1 to another sourcetype2 in Splunk Search

search filed values from sourcetype1 to another sourcetype2

shrinivaskittur — Sun, 22 Aug 2021 19:53:23 GMT

Hi,
I need help in searching field value from the first search to another search with deferent sourcetype and combine both search fields in one table.
but the issue is filed name is the same in both sourcetype but the values are different.
example:

Sourcetype 1 has filed name "user" with value "ABCD"

sourcetype 2 has filed name "user" with value "xxx\\ABCD"

I tried with below query but not getting the output

Re: search filed values from sourcetype1 to another sourcetype2

jwalthour — Sun, 22 Aug 2021 20:29:53 GMT

Try this:

(index=index1 sourcetype=sourcetype1) OR (index=index2 sourcetype=sourcetype2) | eval user=replace(user,"xxx\\\\\\\\","") | rename user as User | stats values(Email) as Email values(HostName) as HostName values(HostIP) as HostIP values(FileName) as FileName values(Message) as Message by User

If you like it, please mark it as the Solution; if not, let me know what needs changed.

Re: search filed values from sourcetype1 to another sourcetype2

shrinivaskittur — Sun, 22 Aug 2021 20:33:30 GMT

Hello Jwalthour,

Thank you for your reply, but the "xxx" is not static value here, need some command to remove all text before "\\" and including "\\"

Re: search filed values from sourcetype1 to another sourcetype2

jwalthour — Sun, 22 Aug 2021 20:38:30 GMT

Replace line 2 with:

| rex field=user "^\S{3}\\\\\\\\(?P<user>[\s\S]+)"

or this gets you there, too:

| rex field=user "\\\\\\\\(?P<user>[\s\S]+)"

Re: search filed values from sourcetype1 to another sourcetype2

shrinivaskittur — Mon, 23 Aug 2021 19:50:35 GMT

Hi,

Sorry for coming again, I have verified the output table and the table contain only the field of sourcetype1 and the sourcetype2 field values are showing blank