Splunk Search

How to co-relate data from multiple sourcetypes?


I have data in three source types to co-relate. Time and a unique identifier number are common for all three sourcetype data.

Sample data from the first sourcetype:

_time         unique_number Name
12/9/2019 9:49  4782     John
12/9/2019 9:52  698   Andrew
12/9/2019 9:56  2487     Marshal

I need to check whether John is having a unique number 4782 in the rest of the two tables within the last 20 minutes of 1st sourcetype data time aka John's time (i.e.: 12/9/2019 9:49).
If any match found, need to return a comment(matched/not matched) to main search (i.e.: table _time,unique_number,Name,comment.
I tried sub search with join but definitely missing some points and not getting the desired output.

0 Karma

Ultra Champion
| makeresults 
| eval _raw="_time,unique_number,Name
12/9/2019 9:49,4782,John
12/9/2019 9:52,698,Andrew
12/9/2019 9:56,2487,Marshal" 
| multikv forceheader=1 
| eval _time=strptime(time,"%m/%d/%Y %H:%M") 
| table _time,unique_number,Name 
| rename COMMENT AS "this is sample you provide"
| rename COMMENT AS "From here, the logic"
| eventstats range(_time) as time_check
| eval comment=if(Name="John" AND unique_number=4782 AND time_check <= 60 * 20,"matched","not matched")
| table _time,unique_number,Name,comment

Hi, @ahmadshakir1952
I don't understand subsearch well, but I think we can create a query if you provide us with the conditions.

Get Updates on the Splunk Community!

Security Highlights: September 2022 Newsletter

 September 2022 The Splunk App for Fraud Analytics (SFA) is now Splunk SupportedUse your existing Splunk ...

Platform Highlights | September 2022 Newsletter

 September 2022 What’s New in 9.0 and How to UpgradeGet a walk through of what is new Splunk Enterprise 9.0 ...

Observability Highlights | September 2022 Newsletter

 September 2022 Splunk Observability SuiteAccess to "Classic" SignalFx Interface Will be Removed on Sept 30, ...