Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Trouble with time in join

jdmeek
Explorer
‎11-06-2024 10:54 AM

I have an index with events containing a src_ip but not a username for the event.   I have another index of VPN auth logs that has the assigned IP and username.  But the VPN IPs are randomly assigned.

I need to get the username from the VPN logs where vpn.client_ip matches event.src_ip.  But I need to make sure that the returned username is the one that was assigned during the event. 

In short, I need to get the last vpn client_ip assignment to match the event.src_ip BEFORE the event so the vpn.username would be the correct one for event.src_ip.

Here's a generic representation of my current query but I get nothing back.

index=event ... | join left=event right=vpn where event.src_ip=vpn.client_ip max=1 usetime=true earlier=true [search index=vpn]



  

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

MuS
SplunkTrust
SplunkTrust
‎11-06-2024 11:37 AM

Hi there,

Take a look at this https://community.splunk.com/t5/Splunk-Search/How-to-compare-fields-over-multiple-sourcetypes-withou... 

Basically, what you need to do is use an eval to normalise the client IP:

| eval clientIp = coalesce(vpn.client_ip,matches event.src_ip)

and use a 'stats ... by clientIp'

Hope this helps ...

cheers, MuS

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

MuS
SplunkTrust
SplunkTrust
‎11-06-2024 11:37 AM

Hi there,

Take a look at this https://community.splunk.com/t5/Splunk-Search/How-to-compare-fields-over-multiple-sourcetypes-withou... 

Basically, what you need to do is use an eval to normalise the client IP:

| eval clientIp = coalesce(vpn.client_ip,matches event.src_ip)

and use a 'stats ... by clientIp'

Hope this helps ...

cheers, MuS

0 Karma
Reply
Solved! Jump to solution

jdmeek
Explorer
‎11-06-2024 11:56 AM

Thanks!  

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Observability Simplified: Combining User Experience, Application Performance & ...

Tech Talk Observability Simplified: Combining User Experience, Application Performance & Network ...

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...

Global Splunk User Group Events: May + June 2026

Your Splunk Community Awaits: Discover Upcoming User Group Events Worldwide    Staying ahead in the fast-paced ...