Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

search results using data from two indexes

dyolmc
Explorer
‎05-07-2024 03:18 PM

I have a wineventlog index to alert on locked accounts (EventCode=4740), but want to limit this based on certain users.  The data for the wineventlog index is pretty limited, so it looks like I would have to reference another index like activedirectory, that contains similar data.  I was thinking I could reference the "OU" field in the activedirectory index so that this is possible, but I'm struggling  on what I need to combine in order to make this search work.  I've looked at using coalesce, and can get results from both indexes/sourcetypes, but can't seem to just limit my search using EventCode=4740 and OU=Test Users Group.

(index="wineventlog" AND sourcetype="wineventlog" AND EventCode=4740) OR (index="activedirectory" AND sourcetype="ActiveDirectory" AND sAMAccountName=*)
| eval Account_Name = lower( coalesce( Account_Name, sAMAccountName))
| search Account_Name="test-user"


Some of the key fields that I'm trying to reference from the indexes are as follows:

index = wineventlog
sourcetype = wineventlog
EventCode=4740
Security_ID = domain\test-user
Account_Name = test-user
Account_Name = dc



index = activedirectory
sourcetype = ActiveDirectory
Account_Name = test-user
sAMAccountName = test-user
OU = Test Users Group


Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎05-07-2024 08:53 PM

I am not sure what you are missing here - if you want to also restrict the AD data then also add in the search constraint

(index="wineventlog" AND sourcetype="wineventlog" AND EventCode=4740) OR
(index="activedirectory" AND sourcetype="ActiveDirectory" AND sAMAccountName=* AND OU="Test Users")
| eval Account_Name = lower( coalesce( Account_Name, sAMAccountName))
| search Account_Name="test-user"

There is nothing wrong with your logic as such, so at this point you will have a data stream contains two types of event - what are you now looking to do with this?

I expect you are wanting to combine these data sets according to Account_Name, so you would typically do

| stats values(*) as * by Account_Name

but before doing that type of wildcard stats, limit the fields to what you want with a fields statement before it, i.e.

| fields Account_Name a b c x y z

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎05-07-2024 08:53 PM

I am not sure what you are missing here - if you want to also restrict the AD data then also add in the search constraint

(index="wineventlog" AND sourcetype="wineventlog" AND EventCode=4740) OR
(index="activedirectory" AND sourcetype="ActiveDirectory" AND sAMAccountName=* AND OU="Test Users")
| eval Account_Name = lower( coalesce( Account_Name, sAMAccountName))
| search Account_Name="test-user"

There is nothing wrong with your logic as such, so at this point you will have a data stream contains two types of event - what are you now looking to do with this?

I expect you are wanting to combine these data sets according to Account_Name, so you would typically do

| stats values(*) as * by Account_Name

but before doing that type of wildcard stats, limit the fields to what you want with a fields statement before it, i.e.

| fields Account_Name a b c x y z
0 Karma
Reply
Solved! Jump to solution

dyolmc
Explorer
‎05-08-2024 06:00 AM

Thanks for your help 🙂  Combining the data sets using "| stats values(*) as * by Account_Name"  I was able to get what I'm looking for:

(index="wineventlog" AND sourcetype="wineventlog" AND EventCode=4740) OR
(index="activedirectory" AND sourcetype="ActiveDirectory" AND sAMAccountName=* AND OU="Test Users")
| eval Account_Name = lower( coalesce( Account_Name, sAMAccountName))
| search Account_Name=*
| stats values(*) as * by Account_Name
| where EventCode=4740 AND OU="Test Users"
| fields Account_Name EventCode OU
0 Karma
Reply
Get Updates on the Splunk Community!

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...