Re: How to co-relate data from multiple sourcetype...

ahmadshakir1952 · ‎12-28-2019

I have data in three source types to co-relate. Time and a unique identifier number are common for all three sourcetype data.

Sample data from the first sourcetype:

_time         unique_number Name
12/9/2019 9:49  4782     John
12/9/2019 9:52  698   Andrew
12/9/2019 9:56  2487     Marshal

I need to check whether John is having a unique number 4782 in the rest of the two tables within the last 20 minutes of 1st sourcetype data time aka John's time (i.e.: 12/9/2019 9:49).
If any match found, need to return a comment(matched/not matched) to main search (i.e.: table _time,unique_number,Name,comment.
I tried sub search with join but definitely missing some points and not getting the desired output.

to4kawa · ‎12-29-2019

| makeresults 
| eval _raw="_time,unique_number,Name
12/9/2019 9:49,4782,John
12/9/2019 9:52,698,Andrew
12/9/2019 9:56,2487,Marshal" 
| multikv forceheader=1 
| eval _time=strptime(time,"%m/%d/%Y %H:%M") 
| table _time,unique_number,Name 
| rename COMMENT AS "this is sample you provide"
| rename COMMENT AS "From here, the logic"
| eventstats range(_time) as time_check
| eval comment=if(Name="John" AND unique_number=4782 AND time_check <= 60 * 20,"matched","not matched")
| table _time,unique_number,Name,comment

Hi, @ahmadshakir1952
I don't understand subsearch well, but I think we can create a query if you provide us with the conditions.

How to co-relate data from multiple sourcetypes?

Best Strategies to Optimize Observability Costs

Fueling your curiosity with new Splunk ILT and eLearning courses

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...