Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Help with Splunk search to join two searches with common field

vrmandadi
Builder
‎06-07-2021 12:21 PM

I am trying to  join two searches with a common field

Event1:

Jun 7 14:55:37 v3**v sudo: pam_sss(sudo:auth): authentication success; logname=l* uid=5123 euid=0 tty=/dev/pts/0 ruser=lab rhost= user=lab

 

Event2:

Jun 7 14:48:38 v3**v-adm sshd[14821]: Accepted password for lab from 10.**.**.** port 4***4 ssh2

 

I want to merge two events with common field as host which is v3**v in the events and output  the host,user(lab),ip(v3**v) and port (***4) 

Thanks in advance

Labels (1)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎06-07-2021 02:05 PM

Are these events from the same index/search? Which fields do you already have extracted? Is the field with v3**v-adm always in two parts separated by "-"? Can you provide more example events?

0 Karma
Reply

vrmandadi
Builder
‎06-07-2021 06:14 PM

Yes both are from same index and same source type ... Yes everything is extracted.I an trying to see what is the best way to join so that I can get the IP and port details from the second event and merge with host ,user using host as common field .

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎06-07-2021 11:44 PM

If you are not going to give us more useful details, all I can suggest is you try

| stats values(ip) as ip values(port) as port values(user) as user by host

 

0 Karma
Reply

vrmandadi
Builder
‎06-08-2021 07:19 AM

These are all events from Splunk Nix TA add-on which  gives var/logs top , ps   etc logs . The events that I posted are all related to var/logs .

Event 1 is data related to sudo authentication success logs which  host and user name data .Event 2 is data related to password entered and accepted for the sudo login which has host , user name the source ip and source port .

 

I am trying to get the user who has logged into as host as sudo user ,source ip , source port .

Sample event 1 - sudo login

Jun 7 14:55:37 v*** sudo: pam_sss(sudo:auth): authentication success; logname=lq uid=5123 euid=0 tty=/dev/pts/0 ruser=lq rhost= user=lq

 

Sample event 2 - password accepted

Jun 7 14:31:30 v*** sshd[62591]: Accepted password for lq from 10.**.*.1 port 6***5 ssh

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...