Solved: search results using data from two indexes

dyolmc · ‎05-07-2024

I have a wineventlog index to alert on locked accounts (EventCode=4740), but want to limit this based on certain users. The data for the wineventlog index is pretty limited, so it looks like I would have to reference another index like activedirectory, that contains similar data. I was thinking I could reference the "OU" field in the activedirectory index so that this is possible, but I'm struggling on what I need to combine in order to make this search work. I've looked at using coalesce, and can get results from both indexes/sourcetypes, but can't seem to just limit my search using EventCode=4740 and OU=Test Users Group.

(index="wineventlog" AND sourcetype="wineventlog" AND EventCode=4740) OR (index="activedirectory" AND sourcetype="ActiveDirectory" AND sAMAccountName=*)
| eval Account_Name = lower( coalesce( Account_Name, sAMAccountName))
| search Account_Name="test-user"

Some of the key fields that I'm trying to reference from the indexes are as follows:

index = wineventlog

sourcetype = wineventlog

EventCode=4740

Security_ID = domain\test-user

Account_Name = test-user
Account_Name = dc

index = activedirectory
sourcetype = ActiveDirectory
Account_Name = test-user
sAMAccountName = test-user
OU = Test Users Group

bowesmana · ‎05-07-2024

I am not sure what you are missing here - if you want to also restrict the AD data then also add in the search constraint

(index="wineventlog" AND sourcetype="wineventlog" AND EventCode=4740) OR
(index="activedirectory" AND sourcetype="ActiveDirectory" AND sAMAccountName=* AND OU="Test Users")
| eval Account_Name = lower( coalesce( Account_Name, sAMAccountName))
| search Account_Name="test-user"

There is nothing wrong with your logic as such, so at this point you will have a data stream contains two types of event - what are you now looking to do with this?

I expect you are wanting to combine these data sets according to Account_Name, so you would typically do

| stats values(*) as * by Account_Name

but before doing that type of wildcard stats, limit the fields to what you want with a fields statement before it, i.e.

| fields Account_Name a b c x y z

View solution in original post

bowesmana · ‎05-07-2024

I am not sure what you are missing here - if you want to also restrict the AD data then also add in the search constraint

(index="wineventlog" AND sourcetype="wineventlog" AND EventCode=4740) OR
(index="activedirectory" AND sourcetype="ActiveDirectory" AND sAMAccountName=* AND OU="Test Users")
| eval Account_Name = lower( coalesce( Account_Name, sAMAccountName))
| search Account_Name="test-user"

There is nothing wrong with your logic as such, so at this point you will have a data stream contains two types of event - what are you now looking to do with this?

I expect you are wanting to combine these data sets according to Account_Name, so you would typically do

| stats values(*) as * by Account_Name

but before doing that type of wildcard stats, limit the fields to what you want with a fields statement before it, i.e.

| fields Account_Name a b c x y z

dyolmc · ‎05-08-2024

Thanks for your help 🙂 Combining the data sets using "| stats values(*) as * by Account_Name" I was able to get what I'm looking for:

(index="wineventlog" AND sourcetype="wineventlog" AND EventCode=4740) OR
(index="activedirectory" AND sourcetype="ActiveDirectory" AND sAMAccountName=* AND OU="Test Users")
| eval Account_Name = lower( coalesce( Account_Name, sAMAccountName))
| search Account_Name=*
| stats values(*) as * by Account_Name
| where EventCode=4740 AND OU="Test Users"
| fields Account_Name EventCode OU

search results using data from two indexes

eval

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Splunk Classroom Chronicles: Training Tales and Testimonials

Access Tokens Page - New & Improved