https://community.splunk.com/t5/Splunk-Search/How-create-a-search-that-should-map-a-session-from-an-internal/m-p/591268#M205841 <P>Hey guys,</P> <P>I`m trying to create a search that should map a session from an internal application to the corresponding VPN session.</P> <P>Main search - fields: IP_ADDRESS, USER_AD, _time - internal application login sessions.</P> <P>Sub search - fields: Framed_IP_Address, User_Name, _time - VPN allocating internal IP.</P> <P>My goal is to check whether users are using their AD account to log into application or not.</P> <P>The problem right now is that field USER_AD is not displayed in the table and I was wondering why it is happening and how could I remediate that.</P> <LI-CODE lang="markup">index=tkrsec sourcetype="cisco:acs" Acct_Status_Type=Interim-Update earliest=-8h latest=-1m [ search index=tkrsec host=Hercules_fusion | rename IP_ADDRESS as Framed_IP_Address | table Framed_IP_Address ] | eval time1=strftime(_time, "%m/%d/%y %I:%M:%S:%p") | table User_Name,Acct_Status_Type,Framed_IP_Address,time1 | join type=outer USER_AD [ search index=tkrsec host=Hercules_fusion | eval time2=strftime(_time, "%m/%d/%y %I:%M:%S:%p") | table time2,USER_AD ] | table User_Name,Acct_Status_Type,Framed_IP_Address,time1, USER_AD, time2</LI-CODE> <P>&nbsp;</P> Tue, 29 Mar 2022 16:15:52 GMT alexandrucrc 2022-03-29T16:15:52Z https://community.splunk.com/t5/Splunk-Search/How-create-a-search-that-should-map-a-session-from-an-internal/m-p/591268#M205841 <P>Hey guys,</P> <P>I`m trying to create a search that should map a session from an internal application to the corresponding VPN session.</P> <P>Main search - fields: IP_ADDRESS, USER_AD, _time - internal application login sessions.</P> <P>Sub search - fields: Framed_IP_Address, User_Name, _time - VPN allocating internal IP.</P> <P>My goal is to check whether users are using their AD account to log into application or not.</P> <P>The problem right now is that field USER_AD is not displayed in the table and I was wondering why it is happening and how could I remediate that.</P> <LI-CODE lang="markup">index=tkrsec sourcetype="cisco:acs" Acct_Status_Type=Interim-Update earliest=-8h latest=-1m [ search index=tkrsec host=Hercules_fusion | rename IP_ADDRESS as Framed_IP_Address | table Framed_IP_Address ] | eval time1=strftime(_time, "%m/%d/%y %I:%M:%S:%p") | table User_Name,Acct_Status_Type,Framed_IP_Address,time1 | join type=outer USER_AD [ search index=tkrsec host=Hercules_fusion | eval time2=strftime(_time, "%m/%d/%y %I:%M:%S:%p") | table time2,USER_AD ] | table User_Name,Acct_Status_Type,Framed_IP_Address,time1, USER_AD, time2</LI-CODE> <P>&nbsp;</P> Tue, 29 Mar 2022 16:15:52 GMT https://community.splunk.com/t5/Splunk-Search/How-create-a-search-that-should-map-a-session-from-an-internal/m-p/591268#M205841 alexandrucrc 2022-03-29T16:15:52Z https://community.splunk.com/t5/Splunk-Search/How-create-a-search-that-should-map-a-session-from-an-internal/m-p/591273#M205842 <P>USER_AD is not listed in the first table command so is not available for the subsequence join.</P> Tue, 29 Mar 2022 14:27:01 GMT https://community.splunk.com/t5/Splunk-Search/How-create-a-search-that-should-map-a-session-from-an-internal/m-p/591273#M205842 ITWhisperer 2022-03-29T14:27:01Z https://community.splunk.com/t5/Splunk-Search/How-create-a-search-that-should-map-a-session-from-an-internal/m-p/591289#M205846 <P>I did what you`re suggesting but it did not work that is how I ended using join command. Do you have any idea how to add that field to the table and actually be displayed in the table.</P> Tue, 29 Mar 2022 15:19:54 GMT https://community.splunk.com/t5/Splunk-Search/How-create-a-search-that-should-map-a-session-from-an-internal/m-p/591289#M205846 alexandrucrc 2022-03-29T15:19:54Z https://community.splunk.com/t5/Splunk-Search/How-create-a-search-that-should-map-a-session-from-an-internal/m-p/591292#M205847 <P>Perhaps if you share some anonymised events from your searches we might be able to understand what it is you are trying to deal with; working from your searches without a view of the data is like working with one hand tied behind your back!&nbsp;<span class="lia-unicode-emoji" title=":beaming_face_with_smiling_eyes:">😁</span></P> Tue, 29 Mar 2022 15:31:12 GMT https://community.splunk.com/t5/Splunk-Search/How-create-a-search-that-should-map-a-session-from-an-internal/m-p/591292#M205847 ITWhisperer 2022-03-29T15:31:12Z