Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to extract a different file from a search in two indexes when the events have a common field value?

davidepala
Path Finder
‎02-14-2018 03:40 AM

Hi guys
I need to extract two different fields from two different events in two different index only if these two events have a common field value and occur in a specific time range. For example:

EVENT1:
index SRV
_time 10:49:01
username bilbo.baggins
exchangecookie 123456789

EVENT2:

index LB
_time 10:49:00
srcip 123.45.67.89
exchangecookie 123456789

EVENT 3

index LB
_time 10:49:00
srcip 123.45.67.89
exchangecookie abcdefghi

EVENT 4

index LB
_time 10:51:00
srcip 123.45.67.89
exchangecookie 123456789

I want to draw a table with this info: username from index SRV, srcip and _time from index LB only if exchangecookie is the same in both events and the time spwn is less than 5 sec. In this case the output wil be:

10.49.00     bilbo.baggins      123.45.67.89

Time and src IP from EVENT 1 and username from EVENT 2. EVENT 3 must be ignored because have a different exchangecookie and EVENT 4 was indexed too late.

I've read about join but I don't think it's the solution.

0 Karma
Reply

mdsnmss
SplunkTrust
SplunkTrust
‎02-14-2018 07:14 AM 
index=SRV | fields username, srcip, _time, exchangecookie | JOIN exchangecookie [index=LB | eval lb_time=_time] | eval spwn=abs(lb_time-_time) | search spwn<5 | table username, srcip, _time

You may need to do some conversions depending on time format. If you have lb_time and _time in epoch that should give you the answer.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-14-2018 07:08 AM

Hi davidepala,
see transaction command at https://docs.splunk.com/Documentation/Splunk/7.0.2/SearchReference/Transaction

Anyway try something like this

index=LB OR index=SRV
| transaction exchangecookie maxspan=5s
| table _time username srcip

Transaction isn't a performant command, you could also try something like this

index=LB OR index=SRV
| bin _time span=5s
| stats values(_time) AS _time values(username) AS username values(srcip) AS srcip count BY  exchangecookie

Bye.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...