Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Adding field from one search to another

dawcek
New Member
‎09-24-2019 03:19 AM

Hello All on Splunk Answer.

I have following very simple search:

*index=*proxy domain="somedomain.com"
| stats values(url) values(action) values(respcode) count by src_ip**

In events from proxy I don't have information about user who accessed urls and I wanted to get this information from Windows related events:
by following search:

index=*windows EventCode=4624 Source_Workstation!="-" AND user!="*$"
| stats count by src_ip,user]*

Is there any sollution how to add user field to stats table for accessing particular domain ?
I though about using join appendcols commands.

Thanks a lot for your help.

0 Karma
Reply

starcher
Influencer
‎09-24-2019 04:13 AM

Yeah don’t use join or append. They have limits. Do both root searches together with an or. Then stats that together

Reply

wmyersas
Builder
‎09-24-2019 08:23 AM

There are limits, but you're not likely to hit them unless you have massive data sets and don't filter well

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎09-24-2019 03:42 AM

@dawcek
Can you please try this?

(index=proxy domain="somedomain.com") OR (index=windows EventCode=4624 Source_Workstation!="-" AND user!="$")
| stats values(url) as url values(action) as action values(respcode) as respcode values(user) as user count by src_ip
0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...