Hi, I'm trying to see if there is an easy way to take a result from event error codes, attempting to logon a disabled account for example, and pipe those users/events to see if they ended up successfully logging in. I'm very new to this so any guidance is much appreciated!
Hi ejans100,
this is called using a subsearch, and it can provide results from one search to another search. There are some things you need to consider before using subsearches, easiest to read here : http://docs.splunk.com/Documentation/Splunk/latest/Search/Aboutsubsearches#Subsearch_performance_con...
To your question, and without knowing anything about your events you can do something like this:
index=2 [ index=1 account_status="disabled" action="login" | return account ] | ...
what this does is: it runs the subsearch first (important to know!) and returns the account from index=1
for disabled account_status which had a action=login
and searches index=2
for accounts found in index=1.
This is a very simple and basic example, there are also other ways to do this using lookups or stats. But give this a try ...
Hope this helps ...
cheers, MuS