Splunk Search

How to extract 2 values from different events based on another 2 common fields?

BYQ
Engager

Hello,
I'm new here, tried to find the answer for my problem by failed. I'm looking for a method to extract values from 2 different events. These events have some common fileds but I'm not interested in them being part of output.

My events have following fields (there are more, but these I would like to operate on):

EventID=10001

time=_time

user=mike

vlan=mikevlan

EventID=10002

time=_time

user=mike

L2ipaddress=1.2.3.4

What I'm looking at as a result is a table with a combined results from vlan and L2ipaddress columns for which user and time matches then I need to have a list of all vlans grouped by L2ipaddress

1.2.3.4|mikevlan,tomvlan,anavlan

1.2.3.5|brianvlan,evevlan
etc

Any ideas?

Labels (5)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust
| stats values(vlan) as vlan values(L2ipaddress) as L2ipaddress by _time user
| stats values(vlan) as vlan by L2ipaddress
| eval vlan=mvjoin(vlan,",")

View solution in original post

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| stats values(vlan) as vlan values(L2ipaddress) as L2ipaddress by _time user
| stats values(vlan) as vlan by L2ipaddress
| eval vlan=mvjoin(vlan,",")
0 Karma

BYQ
Engager

ITWhisperer - wow! that worked. And the solution is even easier than I thought. I'm greatly appreciated!

0 Karma
Get Updates on the Splunk Community!

Leveraging Detections from the Splunk Threat Research Team & Cisco Talos

  Now On Demand  Stay ahead of today’s evolving threats with the combined power of the Splunk Threat Research ...

New in Splunk Observability Cloud: Automated Archiving for Unused Metrics

Automated Archival is a new capability within Metrics Management; which is a robust usage & cost optimization ...

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...