Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do you correlate events from two different indexes by date?

ADRIANODL
Explorer
‎03-07-2019 03:45 PM

Hi folks,

I have 2 indexes containing information as below:

index ABC

_time                   sessionkey                  name     action
06/03/2019 01:15:20   XfRtG5R3FR$Er                John       Login
06/03/2019 01:18:25   XfRtG5R3FR$Er                John       Logout
06/03/2019 03:28:10   FFT$WFTFETR%                 John       Login
06/03/2019 03:31:56   FFT$WFTFETR%                 John       Logout

index XYZ

  _time                    name     CRUD
06/03/2019 01:16:22        John     Update

So, unfortunately, I don't have a session key in both indexes to tie in these two events.

How can I correlate these 2 logs by Name AND date range? i.e.

TimeSessionStarted  TimeSessionFinished  sessionkey   name  CRUD
06/03/2019 01:15:20 06/03/2019 01:18:25 XfRtG5R3FR$Er John Update

Cheers,

Tags (1)
0 Karma
Reply

mayurr98
Super Champion
‎03-07-2019 04:41 PM

Can you try something like this ?

index="ABC" OR index="XYZ" 
| stats latest(eval(case(index="ABC" AND action="Login",_time))) as login_time latest(eval(case(index="ABC" AND action="Logout",_time))) as logout_time latest(eval(case(index="XYZ",_time))) as compare_time latest(CRUD) as CRUD latest(sessionkey) as sessionkey by name 
| where login_time<compare_time AND logout_time>compare_time

let me know if this helps!

0 Karma
Reply

ADRIANODL
Explorer
‎03-07-2019 06:19 PM

Hi mayurr98,
Apologies but I didn't explain the whole thing: the login/logout words don't always appear, so I should rather use the session key as what defines a session.
Does that make sense?

0 Karma
Reply

chrisyounger
SplunkTrust
SplunkTrust
‎03-07-2019 03:53 PM

Well as long as the times are exactly the same, this should work: 

index ABC OR index XYZ
|stats latest(CRUD) as CRUD latest(action) as action latest(sessionkey) as sessionkey by _time  name
0 Karma
Reply

ADRIANODL
Explorer
‎03-07-2019 03:59 PM

Unfortunately the times are not the same. The time on index XYZ falls under a session of index ABC though.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...