Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Do I need to use the join command to combine three searches (including one search with the transaction command)?

aba83
Explorer
‎05-19-2017 03:39 PM

Hi, I'm trying to combine my three searches so I can see which users are logging in from multiple locations at one time. At the moment, I have these three searches.

index=mensa_exchange-prod sourcetype=iis cs_uri_stem="/owa/auth.owa" NOT LogoffReason=* OriginalIP=* | iplocation OriginalIP | search Country=* NOT Country="United States"| rex field=user "\w{3}\\\(?\S+)" | eval User=lower(user) |table User Country | stats values(Country) as country dc(Country) as Count by User | sort User

index=mensa_radius-prod acct_status_type=1 acct_delay_time=0 vendor=Reserved NOT Wireless | iplocation tunnel_client_endpoint | search Country=* NOT Country="United States" | rex field=user "\w{3}\\\(?\S+)" | eval User=lower(user) | table User Country | stats values(Country) as Country dc(Country) as Count by User | sort User 

index=mensa_radius-prod vendor=Microsoft NOT Wireless | transaction user, Client_Friendly_Name maxspan=1 startswith=acct_session_id=* endswith=action=success  | iplocation tunnel_client_endpoint | search Country=* NOT Country="United States" | rex field=user "\w{3}\\\(?\S+)" | eval User=lower(user) |table User Country | stats values(Country) as country dc(Country) as Count by User | sort User

I was thinking the way to do this is to use a join; however, I don't know how that works if I have a transaction command. Is there another way to use this or do I have to use a JOIN? If I do use a join, how would I go about it? Thanks!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎05-21-2017 09:55 PM

Try this:

(index=mensa_exchange-prod sourcetype=iis cs_uri_stem="/owa/auth.owa" NOT LogoffReason=* OriginalIP=*)
OR (index=mensa_radius-prod acct_status_type=1 acct_delay_time=0 vendor=Reserved NOT Wireless)
| append [ search index=mensa_radius-prod vendor=Microsoft NOT Wireless 
          | transaction user, Client_Friendly_Name maxspan=1 startswith=acct_session_id=* endswith=action=success ]
| eval clientIP=if(index="mensa_exchange-prod",OriginalIP,tunnel_client_endpoint)
| iplocation clientIP
| search Country=* NOT Country="United States"
| rex field=user "\w{3}\\\(?<user>\S+)" 
| eval User=lower(user) 
| stats values(Country) as country dc(Country) as Count by User

But you do need to check the rex command - something got munged when you posted it, and I made an assumption. But it still seems weird to me.

View solution in original post

Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎05-21-2017 09:55 PM

Try this:

(index=mensa_exchange-prod sourcetype=iis cs_uri_stem="/owa/auth.owa" NOT LogoffReason=* OriginalIP=*)
OR (index=mensa_radius-prod acct_status_type=1 acct_delay_time=0 vendor=Reserved NOT Wireless)
| append [ search index=mensa_radius-prod vendor=Microsoft NOT Wireless 
          | transaction user, Client_Friendly_Name maxspan=1 startswith=acct_session_id=* endswith=action=success ]
| eval clientIP=if(index="mensa_exchange-prod",OriginalIP,tunnel_client_endpoint)
| iplocation clientIP
| search Country=* NOT Country="United States"
| rex field=user "\w{3}\\\(?<user>\S+)" 
| eval User=lower(user) 
| stats values(Country) as country dc(Country) as Count by User

But you do need to check the rex command - something got munged when you posted it, and I made an assumption. But it still seems weird to me.

Reply
Solved! Jump to solution

aba83
Explorer
‎05-22-2017 01:08 PM

The transaction search works now, but now the records from the 

index=mensa_exchange-prod sourcetype=iis cs_uri_stem="/owa/auth.owa" NOT LogoffReason=* OriginalIP=*

isn't coming through.

0 Karma
Reply
Solved! Jump to solution

aba83
Explorer
‎05-22-2017 01:17 PM

Fixed it, it was the if statement. Thank you for your help.

0 Karma
Reply
Solved! Jump to solution

lguinn2
Legend
‎05-22-2017 03:00 PM

Yes, I forgot to put quotation marks around the value in the if statement. I fixed it - thank you!

0 Karma
Reply
Solved! Jump to solution

aba83
Explorer
‎05-19-2017 04:58 PM

At the moment I have this search that combines the first two searches. 

(index=mensa_exchange-prod sourcetype=iis cs_uri_stem="/owa/auth.owa" user=* NOT LogoffReason=* OriginalIP=*) OR (index=mensa_radius-prod acct_status_type=1 acct_delay_time=0 vendor=Reserved tunnel_client_endpoint=* user=* NOT Wireless) | iplocation OriginalIP | iplocation tunnel_client_endpoint | search Country!="United States" | rex field=user "\w{3}\\\(?\S+)" | eval User=lower(user) |table User Country | stats values(Country) as country dc(Country) as Count by User | sort User

Now I just have to figure out how to add the last one with the transaction. I'm assuming a join, any help would be greatly appreciated.

0 Karma
Reply
Solved! Jump to solution

aaraneta_splunk
Splunk Employee
Splunk Employee
‎05-19-2017 05:48 PM

Hi @aba83 - For future reference, instead of wrapping your sample searches in HTML <code>, try using the Code Sample (101010) button on the toolbar when you're posting your sample searches, data, and/or code. It's right next to the Blockquote button. Thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...