Splunk Search

How to generate a search that will correlate users' status in different target systems?

Path Finder

We get 3 csv files from 3 different target systems T1, T2, T3 with user details. We have users present in all the target systems. We need to display users whose status is not same in target systems. We have unique value in T1 & T2 with different field names field1, field2

common value with field name(Uniquenumber) in T2 & T3.
We need correlate 3 target systems csv files and display if the user status is not same.
T1 - Active
T2- NotActive
T3- Active.

Need help to start the search. All the csv files are under same index name and sourcetype with different sourcefiles.


0 Karma

Revered Legend

Try something like this

index=foo sourcetype=bar (source=*file1.csv OR source=*file2.csv OR source=*file3.csv)
| eval AID=coalesce(ID,ApplicationID)
| eventstats values(unique) as tempUnique by AID
| eval unique=coalesce(unique,tempUnique)
| table unique Accountinformation Status estatus
| stats values(*) as * by unique

Path Finder

Hi Richgalloway,
Thanks for spending time on this. Please find the details below.

for Accountinformation field we have A and NA values which mean Active and Not Active.

for status we have T and A values.

"ApplicantionID", "employee","estatus"
For estatus we have 0 and 16 values. 0 mean active and 1 mean not active.

In file1 and file2 we have unique value alpha with field unique,
In file2 and file3 we have unique value 12563 with field names AID and ApplicationID.

We need to join the csv files and display fields unique, Accountinformation, Status, estatus in a table
when Accountinformation is A, status is T and estatus is 0.


0 Karma


The question is a little too vague. What is the status field called in each source? Are status values consistent among the sources? How is field2 related to Uniquenumber?

If this reply helps you, Karma would be appreciated.
0 Karma

Revered Legend

Can you provide the list of fields by sources and their relationship?

0 Karma
Get Updates on the Splunk Community!

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...