Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Find a common field with _introspection and _internal or _auit

sairajkiran
Observer
‎03-12-2024 02:40 AM

Hi All,

our SVC calculation is in _introspection and and our search name is in _internal and _audit. We need a common filed to map those together so we can tie an SVC (and dollar amount) to a particular search. We tried doing it using the SID but that is not matching. 

Can someone help me out here based on your experiences.

Labels (3)
Labels
Tags (1)
0 Karma
Reply

Gr0und_Z3r0
Contributor
‎03-20-2024 05:21 AM

Hi @sairajkiran 

Try checking the values from the job inspector for your event/search. Not sure if it will fulfil your needs.

The field you can use is search_id -- in _introspection and _audit indexes
For _internal, you'll need to extract this value from job which looks something like this search/search/jobs/1710936732.74/control
so the search_id field value is 1710936732.74 

If the reply helps, a Karma vote would be appreciated.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...