I am performing a search on some data that contains the computername, drive letter, and path of drives mapped to the computer. I also have a second search that returns the username associated with the computer. How can I add a field to the first search that ties the computername in search 1 to the username in search 2. Can I do this with a eval/subsearch or by doing a lookup to a csv file?
Thanks.
You can probably do this by a subsearch if you just want to find a mapped paths, drive letter etc from a single user, but it's a bit hard to say since you don't give all that much information of your desired output or sample logs.
Otherwise you might have to resort to a join
, which is rather expensive.
The join approach would give you something like
sourcetype=A | join COMPUTERNAME [search sourcetype=B | fields COMPUTERNAME, USER_NAME] | table USER_NAME, COMPUTERNAME, DRIVELETTER, PATH
More information would allow you to get better help.
/Kristian
You can probably do this by a subsearch if you just want to find a mapped paths, drive letter etc from a single user, but it's a bit hard to say since you don't give all that much information of your desired output or sample logs.
Otherwise you might have to resort to a join
, which is rather expensive.
The join approach would give you something like
sourcetype=A | join COMPUTERNAME [search sourcetype=B | fields COMPUTERNAME, USER_NAME] | table USER_NAME, COMPUTERNAME, DRIVELETTER, PATH
More information would allow you to get better help.
/Kristian
Thanks, this seemed like the easiest way to get what I was wanting.
I think a subsearch would do the trick if you need to look up the username/computername data dynamically.
sourcetype=<src-1> computername=*
[source=<src-2> computername=* | fields username ]
| stats values(username)....by computername
But if you had a list of computernames and usernames available as a CSV you could do a lookup table as well at the end.
sourcetype=* | stats values(computername) AS computername | lookup user_table computername OUTPUT username AS "User"