Splunk Search

How to generate a search that will correlate users' status in different target systems?

krishnacasso
Path Finder

We get 3 csv files from 3 different target systems T1, T2, T3 with user details. We have users present in all the target systems. We need to display users whose status is not same in target systems. We have unique value in T1 & T2 with different field names field1, field2

and
common value with field name(Uniquenumber) in T2 & T3.
We need correlate 3 target systems csv files and display if the user status is not same.
T1 - Active
T2- NotActive
T3- Active.

Need help to start the search. All the csv files are under same index name and sourcetype with different sourcefiles.

Thanks.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try something like this

index=foo sourcetype=bar (source=*file1.csv OR source=*file2.csv OR source=*file3.csv)
| eval AID=coalesce(ID,ApplicationID)
| eventstats values(unique) as tempUnique by AID
| eval unique=coalesce(unique,tempUnique)
| table unique Accountinformation Status estatus
| stats values(*) as * by unique

krishnacasso
Path Finder

Hi Richgalloway,
Thanks for spending time on this. Please find the details below.

file1.csv
"OU","unique","accountname","Accountinformation"
"sitsai,ou=users,dc=company,dc=com","alpha","sphere","NA"
for Accountinformation field we have A and NA values which mean Active and Not Active.

file2.csv
"OU","unique","ID","Status","AID",
"sitsai,ou=users,dc=company,dc=com","alpha","12563","T","app1",
for status we have T and A values.

file3.csv
"ApplicantionID", "employee","estatus"
"12563","apha","1"
For estatus we have 0 and 16 values. 0 mean active and 1 mean not active.

In file1 and file2 we have unique value alpha with field unique,
In file2 and file3 we have unique value 12563 with field names AID and ApplicationID.

We need to join the csv files and display fields unique, Accountinformation, Status, estatus in a table
when Accountinformation is A, status is T and estatus is 0.

Thanks.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The question is a little too vague. What is the status field called in each source? Are status values consistent among the sources? How is field2 related to Uniquenumber?

---
If this reply helps you, Karma would be appreciated.
0 Karma

somesoni2
SplunkTrust
SplunkTrust

Can you provide the list of fields by sources and their relationship?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...