Help using multiple sources

tt1 · ‎03-02-2014

Hi, I am successfully reading and joining a couple of sources, but am having a trouble adding a 3rd.

index=access_logs TTG  | 
rex field=_raw "\"GET\s*.*?xml\?*(?<ttg_request>.*?)\s*HTTP.*?\"" | 
rex field=ttg_request "c_account_code=(?<ttg_c_account_code>.*?)&" | 
rex field=ttg_request "c_error_code=(?<ttg_c_error_code>.*?)&" |  
rex field=ttg_request "c_time_stamp=(?<ttg_c_time_stamp>.*?)&" | 
rename ttg_c_account_code as addressID | 
join addressID [search index="tt2_trial_accounts"] | 
table addressID accountCode ttg_c_error_code ttg_c_time_stamp

the 3rd

index=json_mi | table accountCode event.type date

I want to join like this;

index=access_logs OR index=json_mi |

but do not know how to handle the above rex fields in this instance.

Ideally ending up with something that looks like;

table accountCode some_field(ttg_c_error_code or event.type date) date(ttg_c_time_stamp or date)

Any help appreciated.

Ledion_Bitincka · ‎03-02-2014

We need a bit more info to help with crafting the search, however generally you can use the following template to "join" data sets

<search for all the data> | <eval/extract all the needed fields> | stats <aggregates, fields ...> BY <fields you want to join>

Help using multiple sources

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?