(index=security sourcetype=fortigate) OR (index=security sourcetype=clearpass)
| transaction src_ip keepevicted=true maxspan=30s
| search dvc=Android AND alert=virus
(index=security sourcetype=fortigate) OR (index=security sourcetype=clearpass)
| transaction src_ip keepevicted=true maxspan=30s
| search dvc=Android AND alert=virus
Thanks helps a lot. but how to match src_ip if names are differtent in both events. in Fortigate its "src_ip" but in Clearpass its ip_address
In similar use case, I created an alias for this field in props.conf under sourcetype stanza
[Clearpass sourcetype]
FIELDALIAS-ip_address = ip_address as src_ip
*|rename ip_address as src_ip |transaction.....
try Fortinet FortiGate App for Splunk : link : https://splunkbase.splunk.com/app/2800/
add-on : https://splunkbase.splunk.com/app/2846/
docs: https://www.fortinet.com/content/dam/fortinet/assets/alliances/SolutionBrief-Fortinet-Splunk.pdf
The App can absorb a high volume of elevated logs in real time and provide insights to
examine advanced threat intent, widespread backdoor viruses, and unexpected information
flows in a single pane of glass, enabling quick visualization of everything that’s happening in
your datacenter and cloud.
clearpass splunk app link : https://splunkbase.splunk.com/app/1895/
Aruba ClearPass App for Splunk Enterprise