We have logs coming into Unix and Windows Webspere. Every logon in Windows generates an event in Unix with the type of security connection used (Ex: Web 3 and secure). The only thing matching in both the logs are index, and the challenge here is the logs in Windows Websphere have a _time of 5 hours ahead from that of Unix. I tried the search below, but no events are showing up.
index=ABC_XYZ UId="*" "Logon" sourcetype="websphere:unix" | eval First_time = _time | join index [ search index=ABC_XYZ "logon" "*web3qa*" sourcetype="websphere:windows" Target="*" | eval Error_time = _time] | where Error_time = First_time+18000 | stats earliest(First_time) as First_Logon by UId | fieldformat First_time =strftime(First_time,"%I:%M:%S%p") | fieldformat Error_time =strftime(Error_time,"%I:%M:%S%p") | table First_Logon,First_time,Target
If editing the time in search doesn't work, my plan is to change the _time value in props file of the default app for this sourcetype. Please advise on how to do so.
Thanks in advance
can you please eloberate or edit my search query? and like i said i dont have any matching field to map from.. the log from unix just shows the type of connection used and windows shows the userid. As we know that they have a time difference of 5 hours we can manually see the connection between two logs. how do i match the events based on _time and _time+18000?