Splunk Enterprise Security

need some help in writing SPL for below scenerio

Explorer

i Have 2 source types each source type having asset_id field i want a search to display same asset_id that is in both source types

from that results i want to display nexpose_tag field for that asset_id from second source type

0 Karma

Esteemed Legend

Like this:

(index="Index_A" AND sourcetype="sourcetype_A") OR (index="index_B" AND sourcetype=sourcetype_B")
| stats dc(sourcetype) AS sourcetypes valeues(nexpose_tag) AS nexpose_tag BY asset_id
| where sourcetypes=2
0 Karma

Influencer

Hi @vikram1583, try this:

index=INDEXNAME (sourcetype=SOURCETYPE1 OR sourcetype=SOURCETYPE2)
| stats dc(sourcetype) AS sourcetypeCount values(nexpose_tag) AS nexpose_tag BY asset_id 
| where sourcetypeCount =2 
| fields asset_id, nexpose_tag