Solved: Fields in another sourcetype

rubeniturrieta · ‎12-12-2014

Hi everyone:

I have two sourcetypes: Cisco WSA, and Cisco ASA. WSA has user data, but ASA don't.
I want to have the users for every source ip (src_ip) for asa. I have DHCP.
I have for example, this:

ASA top src_ip

timestamp ! src_ip ! count
a ! ip_a ! 2
b ! ip_b ! 5

c ! ip_c ! 7

but I need this:

ASA top src_ip

timestamp ! src_ip ! count ! user
a ! ip_a ! 2 ! u1
b ! ip_b ! 2 ! u5
d ! ip_b ! 2 ! u2
c ! ip_c ! 4 ! u1
e ! ip_c ! 3 ! u5

Do someone know how to do something like this?

stephane_cyrill · ‎12-19-2014

Hi,
I think that you can use the appendcols command to do that.
To have the resulting table you need you have to pipe the search that produce the first result without user and then you use appendcols [ ] .in the square brakets you put the search that will produce only the field user from WSA sourcetype.
At the end you pipe all and you can use table command to display what you wanted. just like this:

search from ASA sourcetype | appendcols [subsearch from WSA] |table timestamp scr_ip count user

View solution in original post

stephane_cyrill · ‎12-19-2014

Hi,
I think that you can use the appendcols command to do that.
To have the resulting table you need you have to pipe the search that produce the first result without user and then you use appendcols [ ] .in the square brakets you put the search that will produce only the field user from WSA sourcetype.
At the end you pipe all and you can use table command to display what you wanted. just like this:

search from ASA sourcetype | appendcols [subsearch from WSA] |table timestamp scr_ip count user

Fields in another sourcetype

c ! ip_c ! 7

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!