Re: search filed values from sourcetype1 to anothe...

shrinivaskittur · ‎08-22-2021

Hi,
I need help in searching field value from the first search to another search with deferent sourcetype and combine both search fields in one table.
but the issue is filed name is the same in both sourcetype but the values are different.
example:

Sourcetype 1 has filed name "user" with value "ABCD"

sourcetype 2 has filed name "user" with value "xxx\\ABCD"

I tried with below query but not getting the output

jwalthour · ‎08-22-2021

Try this:

(index=index1 sourcetype=sourcetype1) OR (index=index2 sourcetype=sourcetype2)
| eval user=replace(user,"xxx\\\\\\\\","")
| rename user as User
| stats values(Email) as Email values(HostName) as HostName values(HostIP) as HostIP values(FileName) as FileName values(Message) as Message by User

If you like it, please mark it as the Solution; if not, let me know what needs changed.

shrinivaskittur · ‎08-22-2021

Hello Jwalthour,

Thank you for your reply, but the "xxx" is not static value here, need some command to remove all text before "\\" and including "\\"

jwalthour · ‎08-22-2021

Replace line 2 with:

| rex field=user "^\S{3}\\\\\\\\(?P<user>[\s\S]+)"

or this gets you there, too:

| rex field=user "\\\\\\\\(?P<user>[\s\S]+)"

shrinivaskittur · ‎08-23-2021

Hi,

Sorry for coming again, I have verified the output table and the table contain only the field of sourcetype1 and the sourcetype2 field values are showing blank

search filed values from sourcetype1 to another sourcetype2

join

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes