multiple sourcetypes

cdawson86 · ‎10-25-2021

Hello, I'm having issue with getting a report of users Action, with fullname and username = email.. But the sourcetypes have username. But one has username and fullname but not the action. Also on the username part one has an uppercase U and other has a lower case u.. I trying to get the fullname,username,action.. This is what I have tried

index=hv_lastpass [search source=lastpass_users fullname="*,*" [search sourcetype="lastpass:activity" Action="Failed Login Attempt"| return fullname] |return Action,Time, Username] | table fullname,Username, Action ,Time

index=hv_lastpass | join type=left username [search source=lastpass_users]|join type=left Username [search sourcetype="lastpass:activity"]| table fullname,Username, Action ,Time

thank you

cdawson86 · ‎11-09-2021

Thank you for the help..

bowesmana · ‎10-25-2021

There are a number of ways to combine data from different data sets, but often, the best way to combine data from different data sets is to use these as search queries initially then aggregate down by the common attributes.

It's not clear where Action, [Uu]sername and Time fields are (is Time a specific field or is it _time?), but something like this is a start.

index=hv_lastpass (source=lastpass_users OR (sourcetype="lastpass:activity" Action="Failed Login Attempt"))
| eval _time=if(source="lastpass_users", null(), _time)
| eval Username=coalesce(Username, username)
| stats values(Action) as Action values(fullname) as fullname values(_time) as _time by Username

This collects all Actions, fullnames and _time fields for all fields by Username, which is either username OR Username (coalesce...)

Depending on what you want to do with that data and how to render it, it will require some tweaks.

multiple sourcetypes

data model

saved search

Devesh Logendran, Splunk, and the Singapore Cyber Conquest

There's No Place Like Chrome and the Splunk Platform

Customer Experience | Join the Customer Advisory Board!