Splunk Search

How to search for events from sourcetype1 and check for occurrences of the same events in sourcetype2?

ivanlesk
Engager

Hi,

I have first sourcetype=st1 with information about changes on users. I want to get a particular set of users (their last changes) with:

index=A sourcetype="st1" COLUMN="SOMETHING" | table  col1 col2 col3 col4

in sourcetype="st2" I have columns col1 col2 col3 col4 col5. Columns col1 col2 col3 col4 are "key" to finding specific users (both in st1 and st2).

I want to create an alert (either realtime or cron based) that will get a subset (list of col1 col2 col3 col4 ) from first sourcetype, and then alert when in second sourcetype happens alert that has "col1 col2 col3 col4" combination that exist in subset form first search

e.g.

st1
 col1 col2 col3 col4
  0    0    0    1
  5    9    3    6
  2    9    19   0

st2
 col1 col2 col3 col4
  0    0    0    2
  0    0    0    2
  0    0    0    2
  0    0    0    2
  0    0    0    1
  5    9    3    6

Alert would be sent when 0 0 0 1 and 5 9 3 6 occurred in st2 sourcetype.

What is the best approach to this problem (performance wise) and how to "join" those two searches?

Subset from first sourcetype can have a few thousand events and more than a year between first and last events.

0 Karma
1 Solution

somesoni2
Revered Legend

Try something like this

index=A sourcetype="st2"  [search index=A sourcetype="st1" COLUMN="SOMETHING" | table  col1 col2 col3 col4]  | table col1 col2 col3 col4 col5

Set alert condition when number of result of above search is greater than 0

View solution in original post

somesoni2
Revered Legend

Try something like this

index=A sourcetype="st2"  [search index=A sourcetype="st1" COLUMN="SOMETHING" | table  col1 col2 col3 col4]  | table col1 col2 col3 col4 col5

Set alert condition when number of result of above search is greater than 0

ivanlesk
Engager

This helped alot. I've expanded your search with join.

thx

0 Karma

lpolo
Motivator

Do both log source types use the same log format?

Thanks,
Lp

0 Karma

ivanlesk
Engager

nope, they are genreated form different services, they just have sam "key" in form of 4 columns

0 Karma
Get Updates on the Splunk Community!

2024 Splunk Career Impact Survey | Earn a $20 gift card for participating!

Hear ye, hear ye! The time has come again for Splunk's annual Career Impact Survey!  We need your help by ...

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...