Solved: Weighting events based on the source they originat...

mjones414 · ‎05-01-2024

I have a summary index that pulls in normalized data from 2 different sources (entirely different applications that catalog and categorize the data differently). In situations where I have events in the summary index from both sources, they are 99.99% of the time duplicates of eachother, however source 1 has better data fidelity than source 2. Lets say if I weighted High Fidelity source with a 1 and Low fidelity source with a 2, I'm trying to find a way to filter with a by clause on another field which both events have (like device, or ip_address). something logically like:

|where source=coalesce("sourcename1","sourcename2") by field

but where doesnt take a by clause.

In the past I've done similar things by coalescing each field I want with a case statement, but in this case there are quite a few and I'm wondering if there's a more efficient way of doing it.

any ideas on the best way to accomplish this?

ITWhisperer · ‎05-01-2024

| eval fidelity=if(source="source 1", 1, 2)
| eventstats min(fidelity) as best by device
| where fidelity == best

View solution in original post

mjones414 · ‎05-01-2024

I owe you a lot of beers!

ITWhisperer · ‎05-01-2024

| eval fidelity=if(source="source 1", 1, 2)
| eventstats min(fidelity) as best by device
| where fidelity == best

Weighting events based on the source they originate from

fields

Other

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

Logs to Metrics

Developer Spotlight with Paul Stout