Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I correlate two fields which exist in separate events but share a common field?

pladamsplunk
Explorer
‎03-15-2019 11:45 AM

I have a group of events which has the sourcetype "users"

The events within sourcetype=users contain the format:

username
field2
field3
group_access: "group1, group2, group3, groupX"
field5...

I also have logs within the same index which group together under the sourcetype=hosts

...

The events within sourcetype=hosts contain the format:

hostname
field2
field3
group_access: "group1, group2"
field5...

...

I want to correlate users with access to certain groups to hosts which have common group assignment. For example using the events below

user1
field2
field3
group_access: "group1, group3,"
field5...

host1
field2
field3
group_access: "group2"
field5...

host2
field2
field3
group_access: "group1, group3"
field5...

host3
field2
field3
group_access: "group1, group2"
field5...

I want to show that user 1 has access to host 2 and host 3 by correlation of the group_access. How can i create a query which accomplishes this and expresses it in a table

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
SplunkTrust
SplunkTrust
‎03-17-2019 06:17 AM

@pladamsplunk,

Can you give this a try ?

 index= "your index" (sourcetype="hosts" OR sourcetype="users")
| rex field=_raw "group_access: \"(?<groups>.+)\""| makemv groups delim=","| mvexpand groups
| eventstats values(user) as user by groups
| where isnotnull(hostname)| mvexpand user  | stats values(hostname) as hostnames by user |nomv hostnames

You may remove | rex field=_raw "group_access: \"(?<groups>.+)\"" if you already have a field groups or adjust the rex to match your original events.

Sample data used :

sourcetype=users

user="user1" ,group_access: "group1, group2, group3, groupX"
user="user2",group_access: "group5, group6"
user="user3",group_access: "group1, group6"

sourcetype=hosts

hostname="host1",group_access: "group2"
hostname="host2",group_access: "group1, group3"
hostname="host3",group_access: "group1, group2"

Result

user    hostnames
user1   host1 host2 host3
user3   host2 host3
Happy Splunking!

View solution in original post

Reply
Solved! Jump to solution
Solution

renjith_nair
SplunkTrust
SplunkTrust
‎03-17-2019 06:17 AM

@pladamsplunk,

Can you give this a try ?

 index= "your index" (sourcetype="hosts" OR sourcetype="users")
| rex field=_raw "group_access: \"(?<groups>.+)\""| makemv groups delim=","| mvexpand groups
| eventstats values(user) as user by groups
| where isnotnull(hostname)| mvexpand user  | stats values(hostname) as hostnames by user |nomv hostnames

You may remove | rex field=_raw "group_access: \"(?<groups>.+)\"" if you already have a field groups or adjust the rex to match your original events.

Sample data used :

sourcetype=users

user="user1" ,group_access: "group1, group2, group3, groupX"
user="user2",group_access: "group5, group6"
user="user3",group_access: "group1, group6"

sourcetype=hosts

hostname="host1",group_access: "group2"
hostname="host2",group_access: "group1, group3"
hostname="host3",group_access: "group1, group2"

Result

user    hostnames
user1   host1 host2 host3
user3   host2 host3
Happy Splunking!
Reply
Solved! Jump to solution

pladamsplunk
Explorer
‎03-18-2019 06:40 AM

This worked!

0 Karma
Reply
Get Updates on the Splunk Community!

Observability | How to Think About Instrumentation Overhead (White Paper)

Novice observability practitioners are often overly obsessed with performance. They might approach ...

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

IDC Report: Enterprises Gain Higher Efficiency and Resiliency With Migration to Cloud  Today many enterprises ...

The Great Resilience Quest: 10th Leaderboard Update

The tenth leaderboard update (11.23-12.05) for The Great Resilience Quest is out &gt;&gt; As our brave ...