- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Joining indexes for stats results
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Joining indexes for stats results
I have three indexes I am trying to join that have at least three similar columns each. I want to table the results in order to generate a report and alert. What would be the fastest method to work around using the join command if possible? Because my environment is built to min specs I need to not utilize something that is not resource heavy. Below is my query the "| table" is where I am having issues. Cyber is my elevated account vault AD is my active directory and the unix is for my redhat environment. I am a little lost currently as I have not played with Splunk in a couple of years.
index=cyber AND index=AD AND index=unix
| table _eventtime, issuer, requestor, purpose (for cyber)
| table user, issuer, elevID, action (for AD)
| table user, path, cmd (for unix)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You are correct for not wanting to use join, for join is perhaps not what you need. But you need to give us precise prescription about the field or fields you want to join these three indices. Two of them have an identical field name "user". Do they have the same values? (Window and Unix usually do not.) Then, a different pair of indices have an identical field name "issuer". Then, there is yet another field name in cyber bearing semantic semblance of a user, namely "requestor". Is this the field you want to "join" with the "user" field in the other two indices?
If you want to join requestor in cyber with user in the other two indices, the following should be your first draf:
index IN (cyber, AD, unix)
| rename requestor AS user
| stats values(_eventtime) as _event_time, values(issuer) as issuer values(purpose) as purpose
values(elevID) as evelID, values(action) as action
values(path) as path, values(cmd) as cmd by userEven so, there can be variations depending on other requirements. Unless you give a prescription, others cannot give you a good answer.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for the insight. The "| table * *" were the columns that all match with variances in AD and unix. I have everything broken down specifically per each index in order to have somewhat of a uniform and sanitary environment. I am having to retake a crash course right now in splunk query. Let me try the method you prescribed and we can continue from there. I'll double check my column headers between the three indexes. I will be more precise in my explanation on my next follow up. Thank you.
..update..
index=cyber AND index=AD
| table act, devtype, safe, issuer, username, purpose (for cyber)
| table audit, e_user, evnt_cat, evnt_tsk, proc_name, (for AD)
index=cyber AND index=unix
| table act, devtype, safe, issuer, username, purpose (for cyber)
| table proc, src, user, msg (for unix)
Double checked my data. AD and unix searches are never done together, always cyber and one or the other.
New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...
Improve Data Pipelines Using Splunk Data Management
3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?
