correlate two seperate searchs

JWBailey · ‎05-15-2014

What is the most efficient way to correlate results from two separate searches? I can perform two searches, but only want to see the end results when they meet very specific criteria applied to both original search results.

For example:

Search 1: [Sourcetype = Enter]

Returns results like this:

Sourcetype = Enter

Time = 11:05AM

Employee = Sara

Door = West#3

Shirt = Red

Search 2: [Sourcetype = Exit]

Returns results like this:

Sourcetype = Exit

Time = 11:08AM

Employee = Sara

Door = West#3

Shirt = Blue

I am only interested in the specific situation where someone enters and leaves through the same door, within 5 minutes, and is wearing a different shirt (the events above).

I am not even sure the best approach in general to take here.

Any help is appreciated.

Thanks.

somesoni2 · ‎05-15-2014

How about this

sourcetype=Entry OR sourcetype=Exit | transaction Employee,Door | where duration<300 AND mvcount(Shirt)>1

correlate two seperate searchs

Index This | A sphere has three, a circle has two, and a point has zero. What is it?

Build Scalable Security While Moving to Cloud - Guide From Clayton Homes

Mission Control | Explore the latest release of Splunk Mission Control (2.3)