Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do you correlate events from two different indexes by date?

ADRIANODL
Explorer
‎03-07-2019 03:45 PM

Hi folks,

I have 2 indexes containing information as below:

index ABC

_time                   sessionkey                  name     action
06/03/2019 01:15:20   XfRtG5R3FR$Er                John       Login
06/03/2019 01:18:25   XfRtG5R3FR$Er                John       Logout
06/03/2019 03:28:10   FFT$WFTFETR%                 John       Login
06/03/2019 03:31:56   FFT$WFTFETR%                 John       Logout

index XYZ

  _time                    name     CRUD
06/03/2019 01:16:22        John     Update

So, unfortunately, I don't have a session key in both indexes to tie in these two events.

How can I correlate these 2 logs by Name AND date range? i.e.

TimeSessionStarted  TimeSessionFinished  sessionkey   name  CRUD
06/03/2019 01:15:20 06/03/2019 01:18:25 XfRtG5R3FR$Er John Update

Cheers,

Tags (1)
0 Karma
Reply

mayurr98
Super Champion
‎03-07-2019 04:41 PM

Can you try something like this ?

index="ABC" OR index="XYZ" 
| stats latest(eval(case(index="ABC" AND action="Login",_time))) as login_time latest(eval(case(index="ABC" AND action="Logout",_time))) as logout_time latest(eval(case(index="XYZ",_time))) as compare_time latest(CRUD) as CRUD latest(sessionkey) as sessionkey by name 
| where login_time<compare_time AND logout_time>compare_time

let me know if this helps!

0 Karma
Reply

ADRIANODL
Explorer
‎03-07-2019 06:19 PM

Hi mayurr98,
Apologies but I didn't explain the whole thing: the login/logout words don't always appear, so I should rather use the session key as what defines a session.
Does that make sense?

0 Karma
Reply

chrisyounger
SplunkTrust
SplunkTrust
‎03-07-2019 03:53 PM

Well as long as the times are exactly the same, this should work: 

index ABC OR index XYZ
|stats latest(CRUD) as CRUD latest(action) as action latest(sessionkey) as sessionkey by _time  name
0 Karma
Reply

ADRIANODL
Explorer
‎03-07-2019 03:59 PM

Unfortunately the times are not the same. The time on index XYZ falls under a session of index ABC though.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...