I am trying to join two searches with a common field
Event1:
Jun 7 14:55:37 v3**v sudo: pam_sss(sudo:auth): authentication success; logname=l* uid=5123 euid=0 tty=/dev/pts/0 ruser=lab rhost= user=lab
Event2:
Jun 7 14:48:38 v3**v-adm sshd[14821]: Accepted password for lab from 10.**.**.** port 4***4 ssh2
I want to merge two events with common field as host which is v3**v in the events and output the host,user(lab),ip(v3**v) and port (***4)
Thanks in advance
Are these events from the same index/search? Which fields do you already have extracted? Is the field with v3**v-adm always in two parts separated by "-"? Can you provide more example events?
Yes both are from same index and same source type ... Yes everything is extracted.I an trying to see what is the best way to join so that I can get the IP and port details from the second event and merge with host ,user using host as common field .
If you are not going to give us more useful details, all I can suggest is you try
| stats values(ip) as ip values(port) as port values(user) as user by host
These are all events from Splunk Nix TA add-on which gives var/logs top , ps etc logs . The events that I posted are all related to var/logs .
Event 1 is data related to sudo authentication success logs which host and user name data .Event 2 is data related to password entered and accepted for the sudo login which has host , user name the source ip and source port .
I am trying to get the user who has logged into as host as sudo user ,source ip , source port .
Sample event 1 - sudo login
Jun 7 14:55:37 v*** sudo: pam_sss(sudo:auth): authentication success; logname=lq uid=5123 euid=0 tty=/dev/pts/0 ruser=lq rhost= user=lq
Sample event 2 - password accepted
Jun 7 14:31:30 v*** sshd[62591]: Accepted password for lq from 10.**.*.1 port 6***5 ssh