Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

search results using data from two indexes

dyolmc
Explorer
‎05-07-2024 03:18 PM

I have a wineventlog index to alert on locked accounts (EventCode=4740), but want to limit this based on certain users.  The data for the wineventlog index is pretty limited, so it looks like I would have to reference another index like activedirectory, that contains similar data.  I was thinking I could reference the "OU" field in the activedirectory index so that this is possible, but I'm struggling  on what I need to combine in order to make this search work.  I've looked at using coalesce, and can get results from both indexes/sourcetypes, but can't seem to just limit my search using EventCode=4740 and OU=Test Users Group.

(index="wineventlog" AND sourcetype="wineventlog" AND EventCode=4740) OR (index="activedirectory" AND sourcetype="ActiveDirectory" AND sAMAccountName=*)
| eval Account_Name = lower( coalesce( Account_Name, sAMAccountName))
| search Account_Name="test-user"


Some of the key fields that I'm trying to reference from the indexes are as follows:

index = wineventlog
sourcetype = wineventlog
EventCode=4740
Security_ID = domain\test-user
Account_Name = test-user
Account_Name = dc



index = activedirectory
sourcetype = ActiveDirectory
Account_Name = test-user
sAMAccountName = test-user
OU = Test Users Group


Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎05-07-2024 08:53 PM

I am not sure what you are missing here - if you want to also restrict the AD data then also add in the search constraint

(index="wineventlog" AND sourcetype="wineventlog" AND EventCode=4740) OR
(index="activedirectory" AND sourcetype="ActiveDirectory" AND sAMAccountName=* AND OU="Test Users")
| eval Account_Name = lower( coalesce( Account_Name, sAMAccountName))
| search Account_Name="test-user"

There is nothing wrong with your logic as such, so at this point you will have a data stream contains two types of event - what are you now looking to do with this?

I expect you are wanting to combine these data sets according to Account_Name, so you would typically do

| stats values(*) as * by Account_Name

but before doing that type of wildcard stats, limit the fields to what you want with a fields statement before it, i.e.

| fields Account_Name a b c x y z

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎05-07-2024 08:53 PM

I am not sure what you are missing here - if you want to also restrict the AD data then also add in the search constraint

(index="wineventlog" AND sourcetype="wineventlog" AND EventCode=4740) OR
(index="activedirectory" AND sourcetype="ActiveDirectory" AND sAMAccountName=* AND OU="Test Users")
| eval Account_Name = lower( coalesce( Account_Name, sAMAccountName))
| search Account_Name="test-user"

There is nothing wrong with your logic as such, so at this point you will have a data stream contains two types of event - what are you now looking to do with this?

I expect you are wanting to combine these data sets according to Account_Name, so you would typically do

| stats values(*) as * by Account_Name

but before doing that type of wildcard stats, limit the fields to what you want with a fields statement before it, i.e.

| fields Account_Name a b c x y z
0 Karma
Reply
Solved! Jump to solution

dyolmc
Explorer
‎05-08-2024 06:00 AM

Thanks for your help 🙂  Combining the data sets using "| stats values(*) as * by Account_Name"  I was able to get what I'm looking for:

(index="wineventlog" AND sourcetype="wineventlog" AND EventCode=4740) OR
(index="activedirectory" AND sourcetype="ActiveDirectory" AND sAMAccountName=* AND OU="Test Users")
| eval Account_Name = lower( coalesce( Account_Name, sAMAccountName))
| search Account_Name=*
| stats values(*) as * by Account_Name
| where EventCode=4740 AND OU="Test Users"
| fields Account_Name EventCode OU
0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...