Splunk Search

Export value from the filed based on another log

nikoloz04
New Member

I have O365 logs in Splunk. I want to find all shared files/folders plus display sensitivity labels of these files. 

All valuable information is in the same source type (sourcetype="o365:management:activity")  but in separate log rows.

I want to see on my dashboard:

CreationTime; ObjectId; Operation; SensitivityLabelId; Location; ProcessName; ProductVersion

 "CreationTime": "2021-05-06T20:19:44" "ApplicationName": "Microsoft Azure Information Protection Word Add-In"
 "EventData": "<Type>Edit</Type><MembersCanShareApplied>False</MembersCanShareApplied>" "Location": "On-premises SharePoint"
 "EventSource": "SharePoint" "ProcessName": "WINWORD"
 "ItemType": "File" "ProductVersion": "2.9.116.0"}
 "ObjectId": "https://[FILE_FULL_PATH]/TEST_SHARE_ANYONE_WITH_THE_LINK.docx" "CreationTime": "2021-05-06T20:13:57"
 "Operation": "AnonymousLinkCreated" "DataState": "Use"
 "RecordType": 14 "ObjectId": "https://[FILE_FULL_PATH]/TEST_SHARE_ANYONE_WITH_THE_LINK.docx"
 "SiteUrl": "[MY_PERSONAL_DRIVE]" "Operation": "Access"
 "SourceFileExtension": "docx" "ProtectionEventData": {"IsProtected": true
 "SourceFileName": "TEST_SHARE_ANYONE_WITH_THE_LINK.docx" "ProtectionOwner": "test@mail.com"
 "SourceRelativeUrl": "[PATH]/TEST_SHARE_ANYONE_WITH_THE_LINK.docx" "ProtectionType": "Template"
 "UserId": "test@mail.com" "SensitiveInfoTypeData": []
 "Workload": "OneDrive"} "SensitivityLabelEventData": {"SensitivityLabelId": "70fd9a0e-0d31-4c8e-9c48-fa8ba4ec32c0"}
  "UserId": "test@mail.com"
  "UserKey": "test@mail.com"
  "UserType": 0
  "Version": 1
  "Workload": "Aip"}
Labels (4)
0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!