Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to compare two fields from two different source types?

ahmed_aladwani
Engager
‎04-12-2022 03:17 PM

Hello everybody,

This is actually my first post here so forgive me if I missed up or posted in the wrong section. I'm trying to compare/corelate two fields values from different source types and same index. Please find two sample of event I'm trying to work on.

1) sample of the first source type

index=wineventlog

sourcetype=Script:ListeningPorts

host=computer1

dest=172.*.*.*

dest_port=50000

process_id=151111

 

2) sample of the second source type

index=wineventlog

sourcetype=WinHostMon

source=process

host=computer1

Path=***.exe

Process=**.exe

ProcessId=151111 

 

I'm trying to corelate process_id and ProcessId fields to get the process field and make a count table. Sample output:

process_id   |  dest_port  |  count   |  host               |  Path      |  process

151111               50000              1          Computer1      **.exe      **.exe

 

I tried this query but it didn't give me the right result

index=wineventlog sourcetype=Script:ListeningPorts dest="172.*.*.*" host="Computer1"
| table host process_id dest, dest_port
| rename process_id as ProcessId

| join type=inner host ProcessId
[search index=wineventlog sourcetype=WinHostMon
| table  ProcessId dest_port host Path process]

 

 

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎04-12-2022 04:03 PM

Try to avoid using join where possible, it has a number of limitations) - and in this case it's possible

(index=wineventlog sourcetype=Script:ListeningPorts dest="172.*.*.*" host="Computer1") OR (index=wineventlog sourcetype=WinHostMon host=Computer1)
| eval process_id=coalesce(process_id, ProcessId)
| stats values(dest) as dest values(Path) as Path values(process) as process by host process_id dest_port

The final stats statement will depend on what you want your output to be. This will probably be faster than a join and avoid its limitations

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎04-12-2022 04:03 PM

Try to avoid using join where possible, it has a number of limitations) - and in this case it's possible

(index=wineventlog sourcetype=Script:ListeningPorts dest="172.*.*.*" host="Computer1") OR (index=wineventlog sourcetype=WinHostMon host=Computer1)
| eval process_id=coalesce(process_id, ProcessId)
| stats values(dest) as dest values(Path) as Path values(process) as process by host process_id dest_port

The final stats statement will depend on what you want your output to be. This will probably be faster than a join and avoid its limitations

0 Karma
Reply
Get Updates on the Splunk Community!

OpenTelemetry for Legacy Apps? Yes, You Can!

This article is a follow-up to my previous article posted on the OpenTelemetry Blog, "Your Critical Legacy App ...

UCC Framework: Discover Developer Toolkit for Building Technology Add-ons

The Next-Gen Toolkit for Splunk Technology Add-on Development The Universal Configuration Console (UCC) ...

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...