Splunk Search

How to generate a search that will correlate users' status in different target systems?

Path Finder

We get 3 csv files from 3 different target systems T1, T2, T3 with user details. We have users present in all the target systems. We need to display users whose status is not same in target systems. We have unique value in T1 & T2 with different field names field1, field2

and
common value with field name(Uniquenumber) in T2 & T3.
We need correlate 3 target systems csv files and display if the user status is not same.
T1 - Active
T2- NotActive
T3- Active.

Need help to start the search. All the csv files are under same index name and sourcetype with different sourcefiles.

Thanks.

0 Karma

SplunkTrust
SplunkTrust

Try something like this

index=foo sourcetype=bar (source=*file1.csv OR source=*file2.csv OR source=*file3.csv)
| eval AID=coalesce(ID,ApplicationID)
| eventstats values(unique) as tempUnique by AID
| eval unique=coalesce(unique,tempUnique)
| table unique Accountinformation Status estatus
| stats values(*) as * by unique

Path Finder

Hi Richgalloway,
Thanks for spending time on this. Please find the details below.

file1.csv
"OU","unique","accountname","Accountinformation"
"sitsai,ou=users,dc=company,dc=com","alpha","sphere","NA"
for Accountinformation field we have A and NA values which mean Active and Not Active.

file2.csv
"OU","unique","ID","Status","AID",
"sitsai,ou=users,dc=company,dc=com","alpha","12563","T","app1",
for status we have T and A values.

file3.csv
"ApplicantionID", "employee","estatus"
"12563","apha","1"
For estatus we have 0 and 16 values. 0 mean active and 1 mean not active.

In file1 and file2 we have unique value alpha with field unique,
In file2 and file3 we have unique value 12563 with field names AID and ApplicationID.

We need to join the csv files and display fields unique, Accountinformation, Status, estatus in a table
when Accountinformation is A, status is T and estatus is 0.

Thanks.

0 Karma

SplunkTrust
SplunkTrust

The question is a little too vague. What is the status field called in each source? Are status values consistent among the sources? How is field2 related to Uniquenumber?

---
If this reply helps you, an upvote would be appreciated.
0 Karma

SplunkTrust
SplunkTrust

Can you provide the list of fields by sources and their relationship?

0 Karma