Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- lookup username from seperate search
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am performing a search on some data that contains the computername, drive letter, and path of drives mapped to the computer. I also have a second search that returns the username associated with the computer. How can I add a field to the first search that ties the computername in search 1 to the username in search 2. Can I do this with a eval/subsearch or by doing a lookup to a csv file?
Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can probably do this by a subsearch if you just want to find a mapped paths, drive letter etc from a single user, but it's a bit hard to say since you don't give all that much information of your desired output or sample logs.
Otherwise you might have to resort to a join, which is rather expensive.
The join approach would give you something like
sourcetype=A | join COMPUTERNAME [search sourcetype=B | fields COMPUTERNAME, USER_NAME] | table USER_NAME, COMPUTERNAME, DRIVELETTER, PATH
More information would allow you to get better help.
/Kristian
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can probably do this by a subsearch if you just want to find a mapped paths, drive letter etc from a single user, but it's a bit hard to say since you don't give all that much information of your desired output or sample logs.
Otherwise you might have to resort to a join, which is rather expensive.
The join approach would give you something like
sourcetype=A | join COMPUTERNAME [search sourcetype=B | fields COMPUTERNAME, USER_NAME] | table USER_NAME, COMPUTERNAME, DRIVELETTER, PATH
More information would allow you to get better help.
/Kristian
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks, this seemed like the easiest way to get what I was wanting.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think a subsearch would do the trick if you need to look up the username/computername data dynamically.
sourcetype=<src-1> computername=*
[source=<src-2> computername=* | fields username ]
| stats values(username)....by computername
But if you had a list of computernames and usernames available as a CSV you could do a lookup table as well at the end.
sourcetype=* | stats values(computername) AS computername | lookup user_table computername OUTPUT username AS "User"
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
