Splunk Enterprise Security

Search for common values from 2 different sourcetypes

Communicator

Hello,

I am trying to create an Splunk query to get common username from 2 different sourcetype :

1st Sourcetype :

index=pan_logs sourcetype=pan:threat log_subtype=spyware | stats count by user

2nd Sourcetype:

index=symantec sourcetype=sep12:ids NOT action="blocked"
| stats count by user

As per requirement I want to create a list of common user value from both searches.

Regards
...............SS

0 Karma
1 Solution

SplunkTrust
SplunkTrust

Give this a try

(index=pan_logs sourcetype=pan:threat log_subtype=spyware) OR ( index=symantec sourcetype=sep12:ids NOT action="blocked")
| stats dc(index) as indexes by user | where indexes=2

View solution in original post

SplunkTrust
SplunkTrust

Give this a try

(index=pan_logs sourcetype=pan:threat log_subtype=spyware) OR ( index=symantec sourcetype=sep12:ids NOT action="blocked")
| stats dc(index) as indexes by user | where indexes=2

View solution in original post