Splunk Search

Merging Results from 3 Searches

welkinson
Explorer

Hi I have 3 searches from 3 different device, I would like to have 1 report which contains data from the the 3 devices into 1 line. I am tracking a user who plugs his pc to a switch which in turn asks the DHCP server to assign an IP address to him a role will then be assigned to him by an app server. I want to match the MAC address from logs of the switch to the Mac address from the logs in the DHCP then match the IP address from the DHCP logs to the IP Adress in the App server log. Is this possible? Thanks in advance!

Switch: Switch MAC Address & Local Port

DHCP: MAC Address & IP Address

App Server: IP Address & Role

Report will have :

MAC Address IP Address Role in 1 Line

Edit:
Here are the three searches:

host="10.21.10.23" | rex field=_raw "for client (..[)] on Interface [ ]" | eval switch_mac=switch_mac1.switch_mac2.switch_mac3 | stats count by switch_mac IPort

(host="10.21.10.8" OR host="10.21.10.7") "10.21.23" | rex field=_raw "IP address (?.) is assigned to (?.)[.] ([)]" | stats count by Mac_adr, IPadr

(host="10.21.10.3" OR host="10.21.10.4") "10.21.23" | rex field=_raw " on host (?.) changed from <(?.)> to <(?.*)>" | stats count by clientpc, FromRole, ToRole

Thank You

Tags (2)
0 Karma
1 Solution

eelisio2
Path Finder

Assuming clientpc is an IPAddress, I would try the append command to gather the events from your 3 searches and then pipe to the transaction command to correlate. In order for the transaction command to correlate based on field names, you need to change "clientpc" to "IPadr" and also change "switch_mac" to "Mac_adr". (Make sure the spelling of the Ip address and Mac address fields match.) Include your 3 searches (without the stats commands) in the framework below:

"Your first search"

| append
[search "Your second search"]

| append
[search "Your third search"]

| transaction Mac_adr IPadr

View solution in original post

eelisio2
Path Finder

Assuming clientpc is an IPAddress, I would try the append command to gather the events from your 3 searches and then pipe to the transaction command to correlate. In order for the transaction command to correlate based on field names, you need to change "clientpc" to "IPadr" and also change "switch_mac" to "Mac_adr". (Make sure the spelling of the Ip address and Mac address fields match.) Include your 3 searches (without the stats commands) in the framework below:

"Your first search"

| append
[search "Your second search"]

| append
[search "Your third search"]

| transaction Mac_adr IPadr

welkinson
Explorer

Yes,

Finally got it. Many many thanks!

0 Karma

eelisio2
Path Finder

Assuming you have the appropriate fields extracted, you should be able to use the transaction command:

sourcetype=Switch OR sourcetype=DHCP OR sourcetype=Appsvr | transaction MacAddress IPAddress | table MacAddress IPAddress Role

eelisio2
Path Finder

Your searches results depend on having certain fields (MacAddress, IPAddress, Role). Fields can be automatically extracted by Splunk at search time based on key-value pairs in the logs events. Or they can be extracted explicitly by editing props.conf (and transforms.conf if necessary).

0 Karma

welkinson
Explorer

Hi Thanks for your answer, what do you mean by appropriate fields extracted. Thanks!

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...