Find a common field with _introspection and _inter...

sairajkiran · ‎03-12-2024

Hi All,

our SVC calculation is in _introspection and and our search name is in _internal and _audit. We need a common filed to map those together so we can tie an SVC (and dollar amount) to a particular search. We tried doing it using the SID but that is not matching.

Can someone help me out here based on your experiences.

Gr0und_Z3r0 · ‎03-20-2024

Hi @sairajkiran

Try checking the values from the job inspector for your event/search. Not sure if it will fulfil your needs.

The field you can use is search_id -- in _introspection and _audit indexes
For _internal, you'll need to extract this value from job which looks something like this search/search/jobs/1710936732.74/control
so the search_id field value is 1710936732.74

If the reply helps, a Karma vote would be appreciated.

Find a common field with _introspection and _internal or _auit

field extraction

join

stats

Can’t make it to .conf25? Join us online!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Are you a member of the Splunk Community?