Splunk Search

search results using data from two indexes

dyolmc
Explorer

I have a wineventlog index to alert on locked accounts (EventCode=4740), but want to limit this based on certain users.  The data for the wineventlog index is pretty limited, so it looks like I would have to reference another index like activedirectory, that contains similar data.  I was thinking I could reference the "OU" field in the activedirectory index so that this is possible, but I'm struggling  on what I need to combine in order to make this search work.  I've looked at using coalesce, and can get results from both indexes/sourcetypes, but can't seem to just limit my search using EventCode=4740 and OU=Test Users Group.

(index="wineventlog" AND sourcetype="wineventlog" AND EventCode=4740) OR (index="activedirectory" AND sourcetype="ActiveDirectory" AND sAMAccountName=*)
| eval Account_Name = lower( coalesce( Account_Name, sAMAccountName))
| search Account_Name="test-user"


Some of the key fields that I'm trying to reference from the indexes are as follows:

index = wineventlog
sourcetype = wineventlog
EventCode=4740
Security_ID = domain\test-user
Account_Name = test-user
Account_Name = dc



index = activedirectory
sourcetype = ActiveDirectory
Account_Name = test-user
sAMAccountName = test-user
OU = Test Users Group


Labels (1)
0 Karma
1 Solution

bowesmana
SplunkTrust
SplunkTrust

I am not sure what you are missing here - if you want to also restrict the AD data then also add in the search constraint

(index="wineventlog" AND sourcetype="wineventlog" AND EventCode=4740) OR
(index="activedirectory" AND sourcetype="ActiveDirectory" AND sAMAccountName=* AND OU="Test Users")
| eval Account_Name = lower( coalesce( Account_Name, sAMAccountName))
| search Account_Name="test-user"

There is nothing wrong with your logic as such, so at this point you will have a data stream contains two types of event - what are you now looking to do with this?

I expect you are wanting to combine these data sets according to Account_Name, so you would typically do

| stats values(*) as * by Account_Name

but before doing that type of wildcard stats, limit the fields to what you want with a fields statement before it, i.e.

| fields Account_Name a b c x y z

View solution in original post

0 Karma

bowesmana
SplunkTrust
SplunkTrust

I am not sure what you are missing here - if you want to also restrict the AD data then also add in the search constraint

(index="wineventlog" AND sourcetype="wineventlog" AND EventCode=4740) OR
(index="activedirectory" AND sourcetype="ActiveDirectory" AND sAMAccountName=* AND OU="Test Users")
| eval Account_Name = lower( coalesce( Account_Name, sAMAccountName))
| search Account_Name="test-user"

There is nothing wrong with your logic as such, so at this point you will have a data stream contains two types of event - what are you now looking to do with this?

I expect you are wanting to combine these data sets according to Account_Name, so you would typically do

| stats values(*) as * by Account_Name

but before doing that type of wildcard stats, limit the fields to what you want with a fields statement before it, i.e.

| fields Account_Name a b c x y z
0 Karma

dyolmc
Explorer

Thanks for your help 🙂  Combining the data sets using "| stats values(*) as * by Account_Name"  I was able to get what I'm looking for:

(index="wineventlog" AND sourcetype="wineventlog" AND EventCode=4740) OR
(index="activedirectory" AND sourcetype="ActiveDirectory" AND sAMAccountName=* AND OU="Test Users")
| eval Account_Name = lower( coalesce( Account_Name, sAMAccountName))
| search Account_Name=*
| stats values(*) as * by Account_Name
| where EventCode=4740 AND OU="Test Users"
| fields Account_Name EventCode OU
0 Karma
Get Updates on the Splunk Community!

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...

Explore the Latest Educational Offerings from Splunk (November Releases)

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...