Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

search results using data from two indexes

dyolmc
Explorer
‎05-07-2024 03:18 PM

I have a wineventlog index to alert on locked accounts (EventCode=4740), but want to limit this based on certain users.  The data for the wineventlog index is pretty limited, so it looks like I would have to reference another index like activedirectory, that contains similar data.  I was thinking I could reference the "OU" field in the activedirectory index so that this is possible, but I'm struggling  on what I need to combine in order to make this search work.  I've looked at using coalesce, and can get results from both indexes/sourcetypes, but can't seem to just limit my search using EventCode=4740 and OU=Test Users Group.

(index="wineventlog" AND sourcetype="wineventlog" AND EventCode=4740) OR (index="activedirectory" AND sourcetype="ActiveDirectory" AND sAMAccountName=*)
| eval Account_Name = lower( coalesce( Account_Name, sAMAccountName))
| search Account_Name="test-user"


Some of the key fields that I'm trying to reference from the indexes are as follows:

index = wineventlog
sourcetype = wineventlog
EventCode=4740
Security_ID = domain\test-user
Account_Name = test-user
Account_Name = dc



index = activedirectory
sourcetype = ActiveDirectory
Account_Name = test-user
sAMAccountName = test-user
OU = Test Users Group


Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎05-07-2024 08:53 PM

I am not sure what you are missing here - if you want to also restrict the AD data then also add in the search constraint

(index="wineventlog" AND sourcetype="wineventlog" AND EventCode=4740) OR
(index="activedirectory" AND sourcetype="ActiveDirectory" AND sAMAccountName=* AND OU="Test Users")
| eval Account_Name = lower( coalesce( Account_Name, sAMAccountName))
| search Account_Name="test-user"

There is nothing wrong with your logic as such, so at this point you will have a data stream contains two types of event - what are you now looking to do with this?

I expect you are wanting to combine these data sets according to Account_Name, so you would typically do

| stats values(*) as * by Account_Name

but before doing that type of wildcard stats, limit the fields to what you want with a fields statement before it, i.e.

| fields Account_Name a b c x y z

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎05-07-2024 08:53 PM

I am not sure what you are missing here - if you want to also restrict the AD data then also add in the search constraint

(index="wineventlog" AND sourcetype="wineventlog" AND EventCode=4740) OR
(index="activedirectory" AND sourcetype="ActiveDirectory" AND sAMAccountName=* AND OU="Test Users")
| eval Account_Name = lower( coalesce( Account_Name, sAMAccountName))
| search Account_Name="test-user"

There is nothing wrong with your logic as such, so at this point you will have a data stream contains two types of event - what are you now looking to do with this?

I expect you are wanting to combine these data sets according to Account_Name, so you would typically do

| stats values(*) as * by Account_Name

but before doing that type of wildcard stats, limit the fields to what you want with a fields statement before it, i.e.

| fields Account_Name a b c x y z
0 Karma
Reply
Solved! Jump to solution

dyolmc
Explorer
‎05-08-2024 06:00 AM

Thanks for your help 🙂  Combining the data sets using "| stats values(*) as * by Account_Name"  I was able to get what I'm looking for:

(index="wineventlog" AND sourcetype="wineventlog" AND EventCode=4740) OR
(index="activedirectory" AND sourcetype="ActiveDirectory" AND sAMAccountName=* AND OU="Test Users")
| eval Account_Name = lower( coalesce( Account_Name, sAMAccountName))
| search Account_Name=*
| stats values(*) as * by Account_Name
| where EventCode=4740 AND OU="Test Users"
| fields Account_Name EventCode OU
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...