Hi, I'm doing two searches with custom rex extraction of fields. For both searches, I have named all the fields I extracted the same. I wish to display both searches in one single table. Unfortunately, when I use join
,append
or appendcols
it doesn't show the results of the searches. Both searches are as below. Can anyone tell me a way to combine them? Thanks.
1st search
index=fw logid=*32002 | rex field=_raw "^(?:[^ \n]* ){4}(?P<acdlogsource>[^ ]+) .*devname=(?P<acddevname>.*?) devid.*user=\"(?P<acduser>.*?)\" +ui=(?P<acdfrom>.*?) action.*reason=\"(?P<acdreason>.*?)\"" | eval acddev=acddevname . "(" . acdlogsource . ")" | top limit=0 _time acddev acduser acdfrom acdreason | fields - percent | rename _time as "Date/Time:", acddev as "Device Name/IP:", acduser as "User:", acdfrom as "Attempt From:", acdreason as "Reason:", count as "Count:" | convert ctime(Date/Time:)
2nd search
index=system "4625" | rex field=_raw "^(?:[^ \n]* ){4}(?P<acdlogsource>[^ ]+) .*Account Name:(?P<acddevname>.*?)\$?.Account .*Account Name:(?P<acduser>.*?)Account .*Sub Status:(?P<acdreason>.*?)Process .*Workstation Name:(?P<acdfromname>.*?)Source Network Address:(?P<acdfromip>.*?)Source " | eval acddev=acddevname . "(" . acdlogsource . ")" | eval acdfrom=acdfromname . "(" . acdfromip . ")" | rex field=acdreason mode=sed "s/0xc0000064/name_invalid/g" | rex field=acdreason mode=sed "s/0xc000006a/passwd_invalid/g" | rex field=acdreason mode=sed "s/0xc0000234/acct_locked/g" | rex field=acdreason mode=sed "s/0xc0000072/acct_disabled/g" | rex field=acdreason mode=sed "s/0xc0000193/acct_expired/g" | rex field=acdreason mode=sed "s/0xc0000071/passwd_expired/g" | rex field=acdreason mode=sed "s/0xc000015b/no_logon_rights/g" | top _time acddev acduser acdfrom acdreason | fields - percent | rename _time as "Date/Time:", acddev as "Device Name/IP:", acduser as "User:", acdfrom as "Attempt From:", acdreason as "Reason:", count as "Count:" | convert ctime(Date/Time:)
EDIT: FYI, this will be used as a real-time search so, even though append doesn't work, I don't think it'll be good to use append.
Decided to run the search as one search like below;
(index=fw logid=*32002) OR (index=system "4625") | rex field=_raw "^(?:[^ \n]* ){4}(?P<acdlogsource>[^ ]+) .*devname=(?P<acddevname>.*?) devid.*user=\"(?P<acduser>.*?)\" +ui=(?P<acdfrom>.*?) action.*reason=\"(?P<acdreason>.*?)\"" | rex field=_raw "^(?:[^ \n]* ){4}(?P<acdlogsource>[^ ]+) .*Account Name:(?P<acddevname>.*?)\$?.Account .*Account Name:(?P<acduser>.*?)Account .*Sub Status:(?P<acdreason>.*?)Process .*Workstation Name:(?P<acdfromname>.*?)Source Network Address:(?P<acdfromip>.*?)Source " | eval acddev=acddevname . "(" . acdlogsource . ")" | eval acdfromwin=acdfromname . "(" . acdfromip . ")" | rename acdfromwin as "acdfrom" | rex field=acdreason mode=sed "s/0xc0000064/name_invalid/g" | rex field=acdreason mode=sed "s/0xc000006a/passwd_invalid/g" | rex field=acdreason mode=sed "s/0xc0000234/acct_locked/g" | rex field=acdreason mode=sed "s/0xc0000072/acct_disabled/g" | rex field=acdreason mode=sed "s/0xc0000193/acct_expired/g" | rex field=acdreason mode=sed "s/0xc0000071/passwd_expired/g" | rex field=acdreason mode=sed "s/0xc000015b/no_logon_rights/g" | top limit=0 _time acddev acduser acdfrom acdreason | fields - percent | rename _time as "Date/Time:", acddev as "Device Name/IP:", acduser as "User:", acdfrom as "Attempt From:", acdreason as "Reason:", count as "Count:"
If anyone has a better way of doing it, please do tell me. Thanks!
Decided to run the search as one search like below;
(index=fw logid=*32002) OR (index=system "4625") | rex field=_raw "^(?:[^ \n]* ){4}(?P<acdlogsource>[^ ]+) .*devname=(?P<acddevname>.*?) devid.*user=\"(?P<acduser>.*?)\" +ui=(?P<acdfrom>.*?) action.*reason=\"(?P<acdreason>.*?)\"" | rex field=_raw "^(?:[^ \n]* ){4}(?P<acdlogsource>[^ ]+) .*Account Name:(?P<acddevname>.*?)\$?.Account .*Account Name:(?P<acduser>.*?)Account .*Sub Status:(?P<acdreason>.*?)Process .*Workstation Name:(?P<acdfromname>.*?)Source Network Address:(?P<acdfromip>.*?)Source " | eval acddev=acddevname . "(" . acdlogsource . ")" | eval acdfromwin=acdfromname . "(" . acdfromip . ")" | rename acdfromwin as "acdfrom" | rex field=acdreason mode=sed "s/0xc0000064/name_invalid/g" | rex field=acdreason mode=sed "s/0xc000006a/passwd_invalid/g" | rex field=acdreason mode=sed "s/0xc0000234/acct_locked/g" | rex field=acdreason mode=sed "s/0xc0000072/acct_disabled/g" | rex field=acdreason mode=sed "s/0xc0000193/acct_expired/g" | rex field=acdreason mode=sed "s/0xc0000071/passwd_expired/g" | rex field=acdreason mode=sed "s/0xc000015b/no_logon_rights/g" | top limit=0 _time acddev acduser acdfrom acdreason | fields - percent | rename _time as "Date/Time:", acddev as "Device Name/IP:", acduser as "User:", acdfrom as "Attempt From:", acdreason as "Reason:", count as "Count:"
If anyone has a better way of doing it, please do tell me. Thanks!
Most of the time t's better to replace any sub searches and you got it finally. If you need some more inspiration
about replacing sub searches please read here https://answers.splunk.com/answers/129424/how-to-compare-fields-over-multiple-sourcetypes-without-jo... or the March Session 2016 here http://wiki.splunk.com/Virtual_.conf
cheers, MuS
Thanks! But I just fear the rex conflicting with each other, regardless that the formats for the logs of the different indexes are different. Eventually I will do a permanent field extraction instead of doing multiple rex in a single search. Currently I'm just still testing it out.