Getting Data In

Tag events coming from two sources as Potential and False

veerendra_modi
Loves-to-Learn

I have two sources of events say source_1 and source_2
Both the events are coming to splunk i need to check the id and Timestamp of the event and
if the event coming from both sources at around same time i have to tag it as "Potential" otherwise "False".

The catch is if i get the event at say 3pm from source_1 then my rule should check for the same event from 2:55 to 3:05 for sourcetype_2.
If found tag it as "Potential" otherwise "False".

Please help with this.

Tags (1)
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In January, the Splunk Threat Research Team had one release of new security content via the Splunk ES Content ...

Expert Tips from Splunk Professional Services, Ensuring Compliance, and More New ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...

This month’s releases across the Splunk Observability portfolio deliver earlier detection and faster ...