Archive

Compare three data sources

Explorer

Hello

I have three sources I should compare fields. Lets say index =A index=B and index=C. All the three sources have a unique field D. I should compare values that are in index B and index C to be present in index=A if index A has values other than that of index B & C then I should get a result as unauthorized.

Tags (1)
0 Karma

SplunkTrust
SplunkTrust

If D is the transaction ID to correlate the same event in three indexes then you can try

 index=A OR  index=B OR index=C <Add your Base Search Filter cirteria/s> 
| stats count as EventCount values(index) as MatchedIndexes  min(_time) as MinTime max(_time) as MaxTime by D
| search MatchedIndexes=A AND MatchedIndexes=B AND MatchedIndexes!=C
| eval durationInSeconds=MaxTime-MinTime
| eval _time=MinTime
| table _time D EventCount MatchedIndexes durationInSeconds
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

SplunkTrust
SplunkTrust

If field D is always present but may differ in your three indexes you can use D=* in your base search.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

SplunkTrust
SplunkTrust

@jarapally Were you able to check the answer?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

SplunkTrust
SplunkTrust

Please add more details whether field D is to correlate the events or compare the events. Do you have some sample of data from three indexes?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Explorer

Compare the values of the field D which is a unique bank transaction.. Index B and Index C have values of field D that are present in Index A. the transaction ID's that are present in both Index B and Index C should be present in Index A if not it is flagged as unauthorized.

Index A -Event
Message sent: {A:xxxxx}{B:3XXXXXN}{C:{xxxx}{D:xxxxxx}}{E: :xxxxxxyyyyyyyy}}"

Index B Event:
02-20-2017 03:34:07 INFO XXXXXXXXX message: {A:AXXX00}{B:XXXXN}{C:{XXXX}{D:xxxxxxxx}}{E:
xxxxxxxxxxxxxxx
-}

Index C Event

"{A:XX0000000000}{B:IXXXXN}{C:{D:xxxxxxx}}{E:
:xxxxxxxxxxxxxxxxxx
}

0 Karma