Splunk Enterprise Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How do I compare two indexes with the same value and a different field name?

rockzers
Path Finder
‎08-25-2022 02:28 AM

i installed universal forwarder 4 machine this event log is getting my pc

i want to compare my event log and universal forwarder ip address as where i receive so i use to lookup index="_internal" to get hostname and compare my event log host

event log index

index=*  EventCode=4624

the check index of the universal forwarder is

index=_internal


query:

index=_internal fwdType=uf | table hostname sourceHost | rename hostname as uf_username sourceHost as uf_hostname | join sourceHost [search index=* EventCode=4624 Source_Network_Address=* Account_Name=Administrator Account_Domain=* | table Source_Network_Address Account_Name host]


how to compare this and if the host name matches both indexes and get the ip address from index=_internal fwdType=uf sourceHost and  index=*  Source_Network_Address

Labels (2)
Tags (3)
0 Karma
Reply

maciep
Champion
‎09-01-2022 05:24 AM

I believe if you want to use join, then the field names need to be the same.  So since you rename sourceHost to uf_hostname, then joining on sourceHost won't work.  You would need to join on uf_hostname instead and then also rename the "join" field in the second search to also be called uf_hostname.

That said, if I understand what you're trying to do (which i may not) and you have dns available, then you could try using a dns lookup instead....so just lookup the ip that is in the Source_Network_Address to get the hostname directly?  No need to join to internal logs then...

index=* EventCode=4624
| lookup dnslookup clientip AS Source_Network_Address OUTPUT clienthost AS uf_hostname_or_whatever

 

Or something to that effect. 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...