Adding field from one search to another

dawcek · ‎09-24-2019

Hello All on Splunk Answer.

I have following very simple search:

*index=*proxy domain="somedomain.com"
| stats values(url) values(action) values(respcode) count by src_ip**

In events from proxy I don't have information about user who accessed urls and I wanted to get this information from Windows related events:
by following search:

index=*windows EventCode=4624 Source_Workstation!="-" AND user!="*$"
| stats count by src_ip,user]*

Is there any sollution how to add user field to stats table for accessing particular domain ?
I though about using join appendcols commands.

Thanks a lot for your help.

starcher · ‎09-24-2019

Yeah don’t use join or append. They have limits. Do both root searches together with an or. Then stats that together

wmyersas · ‎09-24-2019

There are limits, but you're not likely to hit them unless you have massive data sets and don't filter well

kamlesh_vaghela · ‎09-24-2019

@dawcek
Can you please try this?

(index=proxy domain="somedomain.com") OR (index=windows EventCode=4624 Source_Workstation!="-" AND user!="$")
| stats values(url) as url values(action) as action values(respcode) as respcode values(user) as user count by src_ip

Adding field from one search to another

Fueling your curiosity with new Splunk ILT and eLearning courses

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Unleash Unified Security and Observability with Splunk Cloud Platform