Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do you correlate events from two different indexes by date?

ADRIANODL
Explorer
‎03-07-2019 03:45 PM

Hi folks,

I have 2 indexes containing information as below:

index ABC

_time                   sessionkey                  name     action
06/03/2019 01:15:20   XfRtG5R3FR$Er                John       Login
06/03/2019 01:18:25   XfRtG5R3FR$Er                John       Logout
06/03/2019 03:28:10   FFT$WFTFETR%                 John       Login
06/03/2019 03:31:56   FFT$WFTFETR%                 John       Logout

index XYZ

  _time                    name     CRUD
06/03/2019 01:16:22        John     Update

So, unfortunately, I don't have a session key in both indexes to tie in these two events.

How can I correlate these 2 logs by Name AND date range? i.e.

TimeSessionStarted  TimeSessionFinished  sessionkey   name  CRUD
06/03/2019 01:15:20 06/03/2019 01:18:25 XfRtG5R3FR$Er John Update

Cheers,

Tags (1)
0 Karma
Reply

mayurr98
Super Champion
‎03-07-2019 04:41 PM

Can you try something like this ?

index="ABC" OR index="XYZ" 
| stats latest(eval(case(index="ABC" AND action="Login",_time))) as login_time latest(eval(case(index="ABC" AND action="Logout",_time))) as logout_time latest(eval(case(index="XYZ",_time))) as compare_time latest(CRUD) as CRUD latest(sessionkey) as sessionkey by name 
| where login_time<compare_time AND logout_time>compare_time

let me know if this helps!

0 Karma
Reply

ADRIANODL
Explorer
‎03-07-2019 06:19 PM

Hi mayurr98,
Apologies but I didn't explain the whole thing: the login/logout words don't always appear, so I should rather use the session key as what defines a session.
Does that make sense?

0 Karma
Reply

chrisyounger
SplunkTrust
SplunkTrust
‎03-07-2019 03:53 PM

Well as long as the times are exactly the same, this should work: 

index ABC OR index XYZ
|stats latest(CRUD) as CRUD latest(action) as action latest(sessionkey) as sessionkey by _time  name
0 Karma
Reply

ADRIANODL
Explorer
‎03-07-2019 03:59 PM

Unfortunately the times are not the same. The time on index XYZ falls under a session of index ABC though.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...