Solved: Search for common values from 2 different sourcety...

sumanssah · ‎09-05-2017

Hello,

I am trying to create an Splunk query to get common username from 2 different sourcetype :

1st Sourcetype :

index=pan_logs sourcetype=pan:threat log_subtype=spyware | stats count by user

2nd Sourcetype:

index=symantec sourcetype=sep12:ids NOT action="blocked"
| stats count by user

As per requirement I want to create a list of common user value from both searches.

Regards
...............SS

somesoni2 · ‎09-05-2017

Give this a try

(index=pan_logs sourcetype=pan:threat log_subtype=spyware) OR ( index=symantec sourcetype=sep12:ids NOT action="blocked")
| stats dc(index) as indexes by user | where indexes=2

View solution in original post

somesoni2 · ‎09-05-2017

Give this a try

(index=pan_logs sourcetype=pan:threat log_subtype=spyware) OR ( index=symantec sourcetype=sep12:ids NOT action="blocked")
| stats dc(index) as indexes by user | where indexes=2

Search for common values from 2 different sourcetypes

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

Join the Conversation

Search for common values from 2 different sourcetypes

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey