Event correlation between two index

sgambhir0109 · ‎08-26-2021

I want to correlate events between two index

Index=A

Index = B

There are multiple user field(user, src_user, dsuer) under Index A. I have to search user in index A which have signature=password retrieved and need to check the same user in Index B if there is successful login(action=success) in 30 sec duration when user has retrieved the password.

Thank you in advance.

shugup2923 · ‎08-26-2021

Have you tried using JOIN command, as you have user as common field you can try using it.

Event correlation between two index

join

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation

Event correlation between two index

join

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future