Splunk Search
Highlighted

How to group various logs from different indexes with different field names, but same values?

Builder

I am trying to group three sets of indexes' logs when all three have the same source and destination IP address within a minute of each other. My initial thought was to use transaction, but ran into a problem because the source IP in index-A is called 'dvcip'. Is there a way to have transaction see the dvcip value of Index-A and match that with src_ip value of Index B & C?

Ultimately, I'd like to join these logs together to then create a table (username, hostip, srcip, dest_ip, website, category, referrer).

Log Field Setup

Index-A    host_ip     dvc_ip    dest_ip    
Index-B                src_ip    dest_ip    website    referrer
Index-C                src_ip    dest_ip    website    category    username

// dvc_ip and src_ip are the same value, just named differently.  Indices B/C do not have the host_ip.

Sample Data

Index-A    192.168.0.100     1.2.3.4    4.4.4.4    
Index-B                      1.2.3.4    4.4.4.4    amazon.com    google.com
Index-C                      1.2.3.4    4.4.4.4    amazon.com    shopping    jsmith
0 Karma
Highlighted

Re: How to group various logs from different indexes with different field names, but same values?

SplunkTrust
SplunkTrust

Why don't you use an alias to name your source ip with the same name across all your three indexes?
Something like:

index=Index-A OR index=Index-B OR index=Index-C
| eval source_ip = coalesce(dvc_ip, src_ip)
| transaction source_ip, dest_ip BLA BLA BLA

By the way, transaction might not be accurate enough for what you are trying to achieve unless you can easily specify your startWith event and your endWith event.

View solution in original post

0 Karma
Highlighted

Re: How to group various logs from different indexes with different field names, but same values?

Builder

I did not know about using an alias. The time between the three logs are all within a 1-minute span. Trying alias now.

0 Karma