Good day Splunkers,
I'm having a problem with my search, well this is what I am trying to achieved.
I have 2 sources (AD events and DHCP events). I am retrieving Account_Name and Workstation_Name fields from AD while Host_Name and Description fields from DHCP. I am using join in my search and using the _time and IP Address as the common fields for both the searches. I did come up with results table. Great !
Here's what I have come up with my search:
index=ad sourcetype="WMI:WinEventLog:Security" CategoryString="Logon" Source_Network_Address=10.225.105.162 | rex "(?i)New\sLogon:\s+Security\sID:\s+.+\s+Account\sName:\s+(?P.+)" | eval Time=round(_time,0) | table Time, Account_Name, Workstation_Name | join Time [search index=dhcp_index IP_Address=10.225.105.162 Description=Assign OR Description=Renew | eval Time=_time | table Time,Host_Name,Description] | convert ctime(Time)
Well here comes my problem, there are events from AD that doesn't match the time from the DHCP source, like a second (or sometimes more) difference. My search won't output results since it can't match the same time on both sources.
See image:
AD source
DHCP source
I'm kinda out of search strings to use here. Is there a way I can set the seconds to match and align the results from both sources? I could use some help and guidance from our Search Gurus here.
Thanks,
crt
Hi @martin_mueller !
Thanks for this. I did manage to stick together the events from AD and DHCP with time differences. I did the transaction command with maxspan with no common field to join.
Here's what my end result table is:
