Solved: Re: Join not working for two different searches

ZacEsa · ‎08-03-2016

Hi, I'm doing two searches with custom rex extraction of fields. For both searches, I have named all the fields I extracted the same. I wish to display both searches in one single table. Unfortunately, when I use join,append or appendcols it doesn't show the results of the searches. Both searches are as below. Can anyone tell me a way to combine them? Thanks.

1st search

index=fw logid=*32002 | rex field=_raw "^(?:[^ \n]* ){4}(?P<acdlogsource>[^ ]+) .*devname=(?P<acddevname>.*?) devid.*user=\"(?P<acduser>.*?)\" +ui=(?P<acdfrom>.*?) action.*reason=\"(?P<acdreason>.*?)\"" | eval acddev=acddevname . "(" . acdlogsource . ")" | top limit=0 _time acddev acduser acdfrom acdreason | fields - percent | rename _time as "Date/Time:", acddev as "Device Name/IP:", acduser as "User:", acdfrom as "Attempt From:", acdreason as "Reason:", count as "Count:" | convert ctime(Date/Time:)

2nd search

index=system "4625" | rex field=_raw "^(?:[^ \n]* ){4}(?P<acdlogsource>[^ ]+) .*Account Name:(?P<acddevname>.*?)\$?.Account .*Account Name:(?P<acduser>.*?)Account .*Sub Status:(?P<acdreason>.*?)Process .*Workstation Name:(?P<acdfromname>.*?)Source Network Address:(?P<acdfromip>.*?)Source " | eval acddev=acddevname . "(" . acdlogsource . ")" | eval acdfrom=acdfromname . "(" . acdfromip . ")" | rex field=acdreason mode=sed "s/0xc0000064/name_invalid/g" | rex field=acdreason mode=sed "s/0xc000006a/passwd_invalid/g" | rex field=acdreason mode=sed "s/0xc0000234/acct_locked/g" | rex field=acdreason mode=sed "s/0xc0000072/acct_disabled/g" | rex field=acdreason mode=sed "s/0xc0000193/acct_expired/g" | rex field=acdreason mode=sed "s/0xc0000071/passwd_expired/g" | rex field=acdreason mode=sed "s/0xc000015b/no_logon_rights/g" | top _time acddev acduser acdfrom acdreason | fields - percent | rename _time as "Date/Time:", acddev as "Device Name/IP:", acduser as "User:", acdfrom as "Attempt From:", acdreason as "Reason:", count as "Count:" | convert ctime(Date/Time:)

EDIT: FYI, this will be used as a real-time search so, even though append doesn't work, I don't think it'll be good to use append.

ZacEsa · ‎08-03-2016

Decided to run the search as one search like below;

(index=fw logid=*32002) OR (index=system "4625") | rex field=_raw "^(?:[^ \n]* ){4}(?P<acdlogsource>[^ ]+) .*devname=(?P<acddevname>.*?) devid.*user=\"(?P<acduser>.*?)\" +ui=(?P<acdfrom>.*?) action.*reason=\"(?P<acdreason>.*?)\"" | rex field=_raw "^(?:[^ \n]* ){4}(?P<acdlogsource>[^ ]+) .*Account Name:(?P<acddevname>.*?)\$?.Account .*Account Name:(?P<acduser>.*?)Account .*Sub Status:(?P<acdreason>.*?)Process .*Workstation Name:(?P<acdfromname>.*?)Source Network Address:(?P<acdfromip>.*?)Source " | eval acddev=acddevname . "(" . acdlogsource . ")" | eval acdfromwin=acdfromname . "(" . acdfromip . ")" | rename acdfromwin as "acdfrom" | rex field=acdreason mode=sed "s/0xc0000064/name_invalid/g" | rex field=acdreason mode=sed "s/0xc000006a/passwd_invalid/g" | rex field=acdreason mode=sed "s/0xc0000234/acct_locked/g" | rex field=acdreason mode=sed "s/0xc0000072/acct_disabled/g" | rex field=acdreason mode=sed "s/0xc0000193/acct_expired/g" | rex field=acdreason mode=sed "s/0xc0000071/passwd_expired/g" | rex field=acdreason mode=sed "s/0xc000015b/no_logon_rights/g" | top limit=0 _time acddev acduser acdfrom acdreason | fields - percent | rename _time as "Date/Time:", acddev as "Device Name/IP:", acduser as "User:", acdfrom as "Attempt From:", acdreason as "Reason:", count as "Count:"

If anyone has a better way of doing it, please do tell me. Thanks!

View solution in original post

ZacEsa · ‎08-03-2016

Decided to run the search as one search like below;

(index=fw logid=*32002) OR (index=system "4625") | rex field=_raw "^(?:[^ \n]* ){4}(?P<acdlogsource>[^ ]+) .*devname=(?P<acddevname>.*?) devid.*user=\"(?P<acduser>.*?)\" +ui=(?P<acdfrom>.*?) action.*reason=\"(?P<acdreason>.*?)\"" | rex field=_raw "^(?:[^ \n]* ){4}(?P<acdlogsource>[^ ]+) .*Account Name:(?P<acddevname>.*?)\$?.Account .*Account Name:(?P<acduser>.*?)Account .*Sub Status:(?P<acdreason>.*?)Process .*Workstation Name:(?P<acdfromname>.*?)Source Network Address:(?P<acdfromip>.*?)Source " | eval acddev=acddevname . "(" . acdlogsource . ")" | eval acdfromwin=acdfromname . "(" . acdfromip . ")" | rename acdfromwin as "acdfrom" | rex field=acdreason mode=sed "s/0xc0000064/name_invalid/g" | rex field=acdreason mode=sed "s/0xc000006a/passwd_invalid/g" | rex field=acdreason mode=sed "s/0xc0000234/acct_locked/g" | rex field=acdreason mode=sed "s/0xc0000072/acct_disabled/g" | rex field=acdreason mode=sed "s/0xc0000193/acct_expired/g" | rex field=acdreason mode=sed "s/0xc0000071/passwd_expired/g" | rex field=acdreason mode=sed "s/0xc000015b/no_logon_rights/g" | top limit=0 _time acddev acduser acdfrom acdreason | fields - percent | rename _time as "Date/Time:", acddev as "Device Name/IP:", acduser as "User:", acdfrom as "Attempt From:", acdreason as "Reason:", count as "Count:"

If anyone has a better way of doing it, please do tell me. Thanks!

MuS · ‎08-04-2016

Most of the time t's better to replace any sub searches and you got it finally. If you need some more inspiration about replacing sub searches please read here https://answers.splunk.com/answers/129424/how-to-compare-fields-over-multiple-sourcetypes-without-jo... or the March Session 2016 here http://wiki.splunk.com/Virtual_.conf

cheers, MuS

ZacEsa · ‎08-04-2016

Thanks! But I just fear the rex conflicting with each other, regardless that the formats for the logs of the different indexes are different. Eventually I will do a permanent field extraction instead of doing multiple rex in a single search. Currently I'm just still testing it out.

Join not working for two different searches

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms