Hi All,
I've two sourcetypes with user information. I want to match the user by time.
Please provide me the Splunk search to match the user by time.
If the users do not match that time I need to set up an alert.
sourcetype="sourcetype1"
| search NOT
[
search sourcetype="sourcetype2"
| stats values(username) as username, values(_time) as _time
]
| stats values(username) as username
You will get the list of unmatched usernames which you could then use to trigger alert
sourcetype="sourcetype1"
| search NOT
[
search sourcetype="sourcetype2"
| stats values(username) as username, values(_time) as _time
]
| stats values(username) as username
You will get the list of unmatched usernames which you could then use to trigger alert
You would probably have to settle for close to the same time, but you could do something with the transaction command:
sourcetype=sourcetype1 OR sourcetype=sourcetype2
| transaction username maxspan=10s
| eval st_count=mvcount(sourcetype)
| where eventcount > 1 AND st_count > 1
| table username eventcount st_count
Take note of the maxspan=10s bit. This is going to be your tolerance for how far away from each other, the events can be. The next line, where we do the mvcount is so we can make sure we are getting events from both of your sourcetypes. This is counting the number of values in a multivalued field which is generated by the transaction command. The eventcount field is automatically generated when you use transaction. The Transaction command will group all events within the maxspan where username is the same.
Hopefully this will work for your use case.
Just a little clarification. Are you trying to find events in the two sourcetypes, with the same user and that happened at or close to the same time?
I want to match the user by time in both sourcetypes..
yes, same user same time in both sourcetypes