https://community.splunk.com/t5/Splunk-Search/How-to-correlate-events-from-different-sourcetypes-from/m-p/254089#M76083 <P>Hi,</P> <P>We have logs coming into Unix and Windows Webspere. Every logon in Windows generates an event in Unix with the type of security connection used (Ex: Web 3 and secure). The only thing matching in both the logs are index, and the challenge here is the logs in Windows Websphere have a _time of 5 hours ahead from that of Unix. I tried the search below, but no events are showing up.</P> <PRE><CODE>index=ABC_XYZ UId="*" "Logon" sourcetype="websphere:unix" | eval First_time = _time | join index [ search index=ABC_XYZ "logon" "*web3qa*" sourcetype="websphere:windows" Target="*" | eval Error_time = _time] | where Error_time = First_time+18000 | stats earliest(First_time) as First_Logon by UId | fieldformat First_time =strftime(First_time,"%I:%M:%S%p") | fieldformat Error_time =strftime(Error_time,"%I:%M:%S%p") | table First_Logon,First_time,Target </CODE></PRE> <P>If editing the time in search doesn't work, my plan is to change the _time value in props file of the default app for this sourcetype. Please advise on how to do so.</P> <P>Thanks in advance</P> Tue, 01 Dec 2015 13:24:35 GMT shivarpith 2015-12-01T13:24:35Z https://community.splunk.com/t5/Splunk-Search/How-to-correlate-events-from-different-sourcetypes-from/m-p/254089#M76083 <P>Hi,</P> <P>We have logs coming into Unix and Windows Webspere. Every logon in Windows generates an event in Unix with the type of security connection used (Ex: Web 3 and secure). The only thing matching in both the logs are index, and the challenge here is the logs in Windows Websphere have a _time of 5 hours ahead from that of Unix. I tried the search below, but no events are showing up.</P> <PRE><CODE>index=ABC_XYZ UId="*" "Logon" sourcetype="websphere:unix" | eval First_time = _time | join index [ search index=ABC_XYZ "logon" "*web3qa*" sourcetype="websphere:windows" Target="*" | eval Error_time = _time] | where Error_time = First_time+18000 | stats earliest(First_time) as First_Logon by UId | fieldformat First_time =strftime(First_time,"%I:%M:%S%p") | fieldformat Error_time =strftime(Error_time,"%I:%M:%S%p") | table First_Logon,First_time,Target </CODE></PRE> <P>If editing the time in search doesn't work, my plan is to change the _time value in props file of the default app for this sourcetype. Please advise on how to do so.</P> <P>Thanks in advance</P> Tue, 01 Dec 2015 13:24:35 GMT https://community.splunk.com/t5/Splunk-Search/How-to-correlate-events-from-different-sourcetypes-from/m-p/254089#M76083 shivarpith 2015-12-01T13:24:35Z https://community.splunk.com/t5/Splunk-Search/How-to-correlate-events-from-different-sourcetypes-from/m-p/254090#M76084 <P>Have you looked at the <CODE>map</CODE> command? </P> <P><A href="http://docs.splunk.com/Documentation/Splunk/6.0/SearchReference/map">http://docs.splunk.com/Documentation/Splunk/6.0/SearchReference/map</A></P> Tue, 01 Dec 2015 17:11:33 GMT https://community.splunk.com/t5/Splunk-Search/How-to-correlate-events-from-different-sourcetypes-from/m-p/254090#M76084 sundareshr 2015-12-01T17:11:33Z https://community.splunk.com/t5/Splunk-Search/How-to-correlate-events-from-different-sourcetypes-from/m-p/254091#M76085 <P>can you please eloberate or edit my search query? and like i said i dont have any matching field to map from.. the log from unix just shows the type of connection used and windows shows the userid. As we know that they have a time difference of 5 hours we can manually see the connection between two logs. how do i match the events based on _time and _time+18000?</P> <P>Please advise</P> Tue, 01 Dec 2015 20:11:29 GMT https://community.splunk.com/t5/Splunk-Search/How-to-correlate-events-from-different-sourcetypes-from/m-p/254091#M76085 shivarpith 2015-12-01T20:11:29Z https://community.splunk.com/t5/Splunk-Search/How-to-correlate-events-from-different-sourcetypes-from/m-p/254092#M76086 <P>Share some sample data from both logs. </P> Tue, 01 Dec 2015 21:53:33 GMT https://community.splunk.com/t5/Splunk-Search/How-to-correlate-events-from-different-sourcetypes-from/m-p/254092#M76086 sundareshr 2015-12-01T21:53:33Z