When I write a query in splunk, I get results that also contain the intermediate active directory entries. I just need the username and the remote server he logged into in a single entry in a table without the active directory records. How do I tie these two things up.
The answer is generally -
(1) find the format and identifying features of the records that contain information you need.
(2) find the format and identifying features of the records that do NOT contain information you need.
(3) write a query that retrieves the first group, eliminates the second group, and then processes the results to the format you want.
So, how do you find the format and identifying features of the records you want?
It sounds like you already have examples, just too many of them.
So, here's the steps
A) Pick ONE particular logon - one time when one user logged onto one computer and then logged through into another. Select all the events, including the ones that you don't need.
B) Anonymize this data by removing confidential information, masking IPs, changing the username and hostnames, and so on.
C) Post this non-confidential transaction data here in your question, along with your current search code. Be sure to mark the code and sample data both as code
so that nothing gets altered by the interface.
D) Create and post the layout that you would like to see this information end up in.
Then we can tell you how to mate that all up into a search, perhaps using stats or perhaps transaction, to get what you need.