Splunk Enterprise Security

Adding field from one search to another

dawcek
New Member

Hello All on Splunk Answer.

I have following very simple search:

*index=*proxy domain="somedomain.com"
| stats values(url) values(action) values(respcode) count by src_ip
**

In events from proxy I don't have information about user who accessed urls and I wanted to get this information from Windows related events:
by following search:

index=*windows EventCode=4624 Source_Workstation!="-" AND user!="*$"
| stats count by src_ip,user]
*

Is there any sollution how to add user field to stats table for accessing particular domain ?
I though about using join appendcols commands.

Thanks a lot for your help.

0 Karma

starcher
SplunkTrust
SplunkTrust

Yeah don’t use join or append. They have limits. Do both root searches together with an or. Then stats that together

wmyersas
Builder

There are limits, but you're not likely to hit them unless you have massive data sets and don't filter well

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@dawcek
Can you please try this?

(index=proxy domain="somedomain.com") OR (index=windows EventCode=4624 Source_Workstation!="-" AND user!="$")
| stats values(url) as url values(action) as action values(respcode) as respcode values(user) as user count by src_ip 
0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...