Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Join not working for two different searches

ZacEsa
Communicator
‎08-03-2016 12:21 AM

Hi, I'm doing two searches with custom rex extraction of fields. For both searches, I have named all the fields I extracted the same. I wish to display both searches in one single table. Unfortunately, when I use join,append or appendcols it doesn't show the results of the searches. Both searches are as below. Can anyone tell me a way to combine them? Thanks.

1st search

index=fw logid=*32002 | rex field=_raw "^(?:[^ \n]* ){4}(?P<acdlogsource>[^ ]+) .*devname=(?P<acddevname>.*?) devid.*user=\"(?P<acduser>.*?)\" +ui=(?P<acdfrom>.*?) action.*reason=\"(?P<acdreason>.*?)\"" | eval acddev=acddevname . "(" . acdlogsource . ")" | top limit=0 _time acddev acduser acdfrom acdreason | fields - percent | rename _time as "Date/Time:", acddev as "Device Name/IP:", acduser as "User:", acdfrom as "Attempt From:", acdreason as "Reason:", count as "Count:" | convert ctime(Date/Time:)

2nd search

index=system "4625" | rex field=_raw "^(?:[^ \n]* ){4}(?P<acdlogsource>[^ ]+) .*Account Name:(?P<acddevname>.*?)\$?.Account .*Account Name:(?P<acduser>.*?)Account .*Sub Status:(?P<acdreason>.*?)Process .*Workstation Name:(?P<acdfromname>.*?)Source Network Address:(?P<acdfromip>.*?)Source " | eval acddev=acddevname . "(" . acdlogsource . ")" | eval acdfrom=acdfromname . "(" . acdfromip . ")" | rex field=acdreason mode=sed "s/0xc0000064/name_invalid/g" | rex field=acdreason mode=sed "s/0xc000006a/passwd_invalid/g" | rex field=acdreason mode=sed "s/0xc0000234/acct_locked/g" | rex field=acdreason mode=sed "s/0xc0000072/acct_disabled/g" | rex field=acdreason mode=sed "s/0xc0000193/acct_expired/g" | rex field=acdreason mode=sed "s/0xc0000071/passwd_expired/g" | rex field=acdreason mode=sed "s/0xc000015b/no_logon_rights/g" | top _time acddev acduser acdfrom acdreason | fields - percent | rename _time as "Date/Time:", acddev as "Device Name/IP:", acduser as "User:", acdfrom as "Attempt From:", acdreason as "Reason:", count as "Count:" | convert ctime(Date/Time:)

EDIT: FYI, this will be used as a real-time search so, even though append doesn't work, I don't think it'll be good to use append.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ZacEsa
Communicator
‎08-03-2016 02:14 AM

Decided to run the search as one search like below;

(index=fw logid=*32002) OR (index=system "4625") | rex field=_raw "^(?:[^ \n]* ){4}(?P<acdlogsource>[^ ]+) .*devname=(?P<acddevname>.*?) devid.*user=\"(?P<acduser>.*?)\" +ui=(?P<acdfrom>.*?) action.*reason=\"(?P<acdreason>.*?)\"" | rex field=_raw "^(?:[^ \n]* ){4}(?P<acdlogsource>[^ ]+) .*Account Name:(?P<acddevname>.*?)\$?.Account .*Account Name:(?P<acduser>.*?)Account .*Sub Status:(?P<acdreason>.*?)Process .*Workstation Name:(?P<acdfromname>.*?)Source Network Address:(?P<acdfromip>.*?)Source " | eval acddev=acddevname . "(" . acdlogsource . ")" | eval acdfromwin=acdfromname . "(" . acdfromip . ")" | rename acdfromwin as "acdfrom" | rex field=acdreason mode=sed "s/0xc0000064/name_invalid/g" | rex field=acdreason mode=sed "s/0xc000006a/passwd_invalid/g" | rex field=acdreason mode=sed "s/0xc0000234/acct_locked/g" | rex field=acdreason mode=sed "s/0xc0000072/acct_disabled/g" | rex field=acdreason mode=sed "s/0xc0000193/acct_expired/g" | rex field=acdreason mode=sed "s/0xc0000071/passwd_expired/g" | rex field=acdreason mode=sed "s/0xc000015b/no_logon_rights/g" | top limit=0 _time acddev acduser acdfrom acdreason | fields - percent | rename _time as "Date/Time:", acddev as "Device Name/IP:", acduser as "User:", acdfrom as "Attempt From:", acdreason as "Reason:", count as "Count:"

If anyone has a better way of doing it, please do tell me. Thanks!

View solution in original post

Reply
Solved! Jump to solution
Solution

ZacEsa
Communicator
‎08-03-2016 02:14 AM

Decided to run the search as one search like below;

(index=fw logid=*32002) OR (index=system "4625") | rex field=_raw "^(?:[^ \n]* ){4}(?P<acdlogsource>[^ ]+) .*devname=(?P<acddevname>.*?) devid.*user=\"(?P<acduser>.*?)\" +ui=(?P<acdfrom>.*?) action.*reason=\"(?P<acdreason>.*?)\"" | rex field=_raw "^(?:[^ \n]* ){4}(?P<acdlogsource>[^ ]+) .*Account Name:(?P<acddevname>.*?)\$?.Account .*Account Name:(?P<acduser>.*?)Account .*Sub Status:(?P<acdreason>.*?)Process .*Workstation Name:(?P<acdfromname>.*?)Source Network Address:(?P<acdfromip>.*?)Source " | eval acddev=acddevname . "(" . acdlogsource . ")" | eval acdfromwin=acdfromname . "(" . acdfromip . ")" | rename acdfromwin as "acdfrom" | rex field=acdreason mode=sed "s/0xc0000064/name_invalid/g" | rex field=acdreason mode=sed "s/0xc000006a/passwd_invalid/g" | rex field=acdreason mode=sed "s/0xc0000234/acct_locked/g" | rex field=acdreason mode=sed "s/0xc0000072/acct_disabled/g" | rex field=acdreason mode=sed "s/0xc0000193/acct_expired/g" | rex field=acdreason mode=sed "s/0xc0000071/passwd_expired/g" | rex field=acdreason mode=sed "s/0xc000015b/no_logon_rights/g" | top limit=0 _time acddev acduser acdfrom acdreason | fields - percent | rename _time as "Date/Time:", acddev as "Device Name/IP:", acduser as "User:", acdfrom as "Attempt From:", acdreason as "Reason:", count as "Count:"

If anyone has a better way of doing it, please do tell me. Thanks!

Reply
Solved! Jump to solution

MuS
SplunkTrust
SplunkTrust
‎08-04-2016 06:16 PM

Most of the time t's better to replace any sub searches and you got it finally. If you need some more inspiration about replacing sub searches please read here https://answers.splunk.com/answers/129424/how-to-compare-fields-over-multiple-sourcetypes-without-jo... or the March Session 2016 here http://wiki.splunk.com/Virtual_.conf

cheers, MuS

Reply
Solved! Jump to solution

ZacEsa
Communicator
‎08-04-2016 06:28 PM

Thanks! But I just fear the rex conflicting with each other, regardless that the formats for the logs of the different indexes are different. Eventually I will do a permanent field extraction instead of doing multiple rex in a single search. Currently I'm just still testing it out.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...