Adding field from one search to another

dawcek · ‎09-24-2019

Hello All on Splunk Answer.

I have following very simple search:

*index=*proxy domain="somedomain.com"
| stats values(url) values(action) values(respcode) count by src_ip**

In events from proxy I don't have information about user who accessed urls and I wanted to get this information from Windows related events:
by following search:

index=*windows EventCode=4624 Source_Workstation!="-" AND user!="*$"
| stats count by src_ip,user]*

Is there any sollution how to add user field to stats table for accessing particular domain ?
I though about using join appendcols commands.

Thanks a lot for your help.

starcher · ‎09-24-2019

Yeah don’t use join or append. They have limits. Do both root searches together with an or. Then stats that together

wmyersas · ‎09-24-2019

There are limits, but you're not likely to hit them unless you have massive data sets and don't filter well

kamlesh_vaghela · ‎09-24-2019

@dawcek
Can you please try this?

(index=proxy domain="somedomain.com") OR (index=windows EventCode=4624 Source_Workstation!="-" AND user!="$")
| stats values(url) as url values(action) as action values(respcode) as respcode values(user) as user count by src_ip

Adding field from one search to another

Stay Connected: Your Guide to February Tech Talks, Office Hours, and Webinars!

Preparing your Splunk Environment for OpenSSL3

Incident Response: Reduce Incident Recurrence with Automated Ticket Creation