Getting Data In

リアルタイムアラート作成時の複数フィールドの突合について

midcoffessplunk
Engager

異なるソースタイプ[sourcteype=A1]の中に[user]、[sourcetype=B1]の中に[ap_user]というフィールドがあります。

この2つの[user],[ap_user]のユーザ名が同じであるかどうか判定するリアルタイムアラートを作成したいです。

リアルタイムサーチ時にappendやjoinでサブサーチを利用するとうまくいきませんでした。

これを解決できる方法がありましたら、ご教授下さい。


sourcetype="A1"
|fields user
|join
[
|search sourcetype="B1"
|fields ap_user
]
|table user,ap_user
|eval match=if(user==ap_user, "〇", "×")

Labels (1)
0 Karma
1 Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust

@midcoffessplunk 

この検索を試してみませんか?

 

sourcetype="A1" OR sourcetype="B1"
| eval User = coalesce(user,ap_user)
| stats count by User
| where count > 1

 

 

Thanks
KV
If any of my replies help you to solve the problem Or gain knowledge, an upvote would be appreciated.

 

View solution in original post

kamlesh_vaghela
SplunkTrust
SplunkTrust

@midcoffessplunk 

この検索を試してみませんか?

 

sourcetype="A1" OR sourcetype="B1"
| eval User = coalesce(user,ap_user)
| stats count by User
| where count > 1

 

 

Thanks
KV
If any of my replies help you to solve the problem Or gain knowledge, an upvote would be appreciated.

 

Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...