Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Listing the common fields from 2 Indexes that that dont exist during a specified time

Ansab
Engager
‎11-14-2022 01:41 PM

I am trying to correlate authentication attempts [ index_A (username, role) vs index_B (username, authentication_time) ]

I want users returned from index_A who dont show up in index_B over last certain number of days (ex. 14 days)

To word it better, unique fields from index_A (which live in index_A) which can show up in index_B but I want to list the ones that dont show up 

My current solutions is piping a search between the 2 indexes over a "username" field but that lists all the matching items and not unique items from index_A which are not in index_B 

Labels (3)
Labels
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎11-14-2022 02:42 PM

What is your timeframe for searching index A?

A simple example would be

index=A OR index=B
| stats values(index) as indexes values(authentication_time) as authentication_time values(role) as rol by username
| where mvcount(indexes)=1 AND indexes="A"

which will search both A and B and then collect the fields you want (role, authentication_time) and also index. It then counts the number of types of index and will only report those that have index A

You could also change the time range for the searches for index A and B by adding brackets and earliest/latest filter criteria to the search, e.g.

(index=A earliest=@d latest=now) OR (index=B earliest=-2w latest=now)
...

which will look in index A for today and index B for the last two weeks.

This fits the first part of your question, but when you mention unique fields in index A that does not address that - is that something extra you want?

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...