Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to search multiple login failures in two indexes where field names for host are different, using if, join or subsearch?

Kishorebk
New Member
‎12-29-2014 12:35 AM

I'm writing a query for multiple login failures, and failures are also seen in exchange logs. I'm finding it difficult to search in two indexes where the fields showing the host are different:

The thing here is, we have a server which is seen ( both in windows and exchange logs , but with different field names ) and when seen in exchange logs, shows the device and command it issued which helps me investigate better. So if i see the server name in exchange index, i need to get the DeviceType and Cmd in my end report with other fields.

Under windows the servers show under "Caller_Computer_Name", and in exchange it shows up as "Host".

Indexes needed: Windows and exchange
Fields needed: Caller_Computer_Name, Account_Domain, ComputerName, timestamp, DeviceType ( field from exchange ), Cmd ( field from exchange)

index="windows_dc"  EventCode="4740"  | convert ctime(_time) as timestamp | stats count values(Caller_Computer_Name) as Caller_computer, values(Account_Domain) as Domain ,values(ComputerName) as ComputerName ,values(timestamp) as timestamp ,  by user | sort - count

Thanks Kishore

Tags (4)
0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎12-29-2014 01:06 AM

Hi Kishorebk,

take a look at this answer http://answers.splunk.com/answers/129424/how-to-compare-fields-over-multiple-sourcetypes-without-joi... to get an idea how it can be done.

cheers, MuS

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...

Splunk MCP & Agentic AI: Machine Data Without Limits

Discover how the Splunk Model Context Protocol (MCP) Server can revolutionize the way your organization uses ...