Combine of two different queries for single output...

ssplunkc · ‎05-18-2015

Hi Team we have two queries as mentioned below:

eventtype=cppm-fail-authentication cphost=* -->This gives me the list of failed authentication of users.

eventtype=cppm CPPM_Endpoint_Profile cphost=* hostname="*" * | table hostname,device_category, device_family, device_name, mac_vendor, mac_address, fingerprint, static_ip -->This gives me the profiling details of the device like, mac, ip, os type etc.

My requirement is that I want to combine both the queries so that we can get the device fingerprint details for failed authentication.

stephanefotso · ‎05-18-2015

Try this:

(eventtype=cppm-fail-authentication OR  eventtype=CPPM_Endpoint_Profile)  cphost=*  | table  eventtype,hostname,device_category, device_family, device_name, mac_vendor, mac_address, fingerprint, static_ip

SGF

Combine of two different queries for single output (Aruba with Splunk)

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?

Combine of two different queries for single output (Aruba with Splunk)

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem