How to merge 2 fields to 1 field and correlate 2 s...

seksit · ‎05-12-2016

Hi

I have 2 sourcetypes: websense_ss and pan:traffic. I want to correlate these 2 sourcetypes with timestamp and IP Address of user(May 2 16:30:00 << This is timestamp pattern of data).

I'm try to merge 2 fields to 1 file because 2 sourcetypes have different fields, but it's the same data. Below are the details:
- Sourcetype websense_ss >> src_host
- Sourcetype pan:traffic >> src_ip
- I need to create new field called src_ip_wp
I want to compare 2 sourcetypes by correlate data with timestamp and ip address and get an output like this:

before correlation

timestamp Event1

timestamp Event2

Output after correlation
timestamp Event1
timestamp Event2

Thank you so much

Sorry for my poor English

sundareshr · ‎05-13-2016

See if this gives you what you're looking for

For merging the 2 fields, you can use the coalesce function. Like this

your base search here | eval src_ip_wp=coalesce(src_ip, src_host)

To corelate the events based on this new IP and time, try this

your base search here | eval src_ip_wp=coalesce(src_ip, src_host) | stats list(_raw) by src_ip_wp _time

You can change _raw to the fields that you need.

How to merge 2 fields to 1 field and correlate 2 sourcetypes with the timestamp and IP address of a user?

Index This | When is October more than just the tenth month?

Observe and Secure All Apps with Splunk

What’s New & Next in Splunk SOAR

Are you a member of the Splunk Community?

How to merge 2 fields to 1 field and correlate 2 sourcetypes with the timestamp and IP address of a user?

Index This | When is October more than just the tenth month?

Observe and Secure All Apps with Splunk

What’s New & Next in Splunk SOAR