All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hello I am trying to set a static color to my single value (the value is string) visualization. I tried it with CSS, add ID to single markup and it didn't work. I also tried to set these option... See more...
Hello I am trying to set a static color to my single value (the value is string) visualization. I tried it with CSS, add ID to single markup and it didn't work. I also tried to set these options: <option name="colorMode">block</option> <option name="colorBy">value</option> <option name="useColors">0</option> <option name="rangeColors">["0x0000ff"]</option>   and it didnt work as well.
Dears    I need your help in extracting the domain and top level domain from dns queries where:   Query Field                  |         extracted field Account.fb.com         .         Fb.... See more...
Dears    I need your help in extracting the domain and top level domain from dns queries where:   Query Field                  |         extracted field Account.fb.com         .         Fb.com Aa.bb.cc.com              .         Cc.com Www.google.com      .        Google.com       Thanks in advance 
I have the following main search:     index=utm sys=SecureNet action=drop | eval protocol=case(proto==1, "ICMP", proto==6, "TCP", proto==17, "UDP", proto==132, "SCTP", 1=1,proto) | table _time sev... See more...
I have the following main search:     index=utm sys=SecureNet action=drop | eval protocol=case(proto==1, "ICMP", proto==6, "TCP", proto==17, "UDP", proto==132, "SCTP", 1=1,proto) | table _time severity srcip srcport srcmac dstip dstport dstmac protocol eval action fwrule tcpflags ttl initf outitf | sort -_time     On the existing eval, I need to modify the end that acts as the else. Right now, the  else specifies a name for numbers 1, 6, 17, and 132 in field "proto".  I need the else to use any other occurring number to lookup an associated name from a csv containing 2 fields: "number" and "name". I cannot for the life of me figure out what kind of subsearch to use or the syntax... I imagine it is something like:     | inputlookup protocol_number_list.csv | search number=proto | return name     but I can't figure out how to combine the two. Any help would be greatly appreciated, thanks!
Hi Experts, We have splunk enterprise 8.2.6 on sles12 sp4 in gcp. There are many corrupted buckets on indexer nodes.  Did any one of you experienced such bucket corruption due to OS or OS relat... See more...
Hi Experts, We have splunk enterprise 8.2.6 on sles12 sp4 in gcp. There are many corrupted buckets on indexer nodes.  Did any one of you experienced such bucket corruption due to OS or OS related patches or something else. Thank you.
Hi All What is the added advantage of Splunk MLTK is bringing when we already have commands like predict, cluster, Anomaly detection and association in  Splunk enterprise which uses the ML algori... See more...
Hi All What is the added advantage of Splunk MLTK is bringing when we already have commands like predict, cluster, Anomaly detection and association in  Splunk enterprise which uses the ML algorithms ? In what scenarios or use cases do we really need Splunk MLTK ?    Regards Balaji TK
Hi I have 3 servers that generate log file daily with size about 12GB (12*3=36GB) How can I gather these files on centralize log server.   FYI1: I can't use splunk forwarder in this scenario.... See more...
Hi I have 3 servers that generate log file daily with size about 12GB (12*3=36GB) How can I gather these files on centralize log server.   FYI1: I can't use splunk forwarder in this scenario. FYI2: rsyslog, filebeat, syslog-ngm, ... are available solution but I can't decide which one is more suitable for this issue. FYI3: raw data is important , and doesn't be missed. FYI4: like forwarder when ever servers or network down, after issue resolve it will continuously send data. (AFAIK rsyslog use tracker when server stopped and try to send remain file after service start again) Any idea? Thanks,
Hi  hope you are doing good. im working on a use case which will trigger if any user is trying to connect from non business country.  attaching the snap for the query. my query  want to opt... See more...
Hi  hope you are doing good. im working on a use case which will trigger if any user is trying to connect from non business country.  attaching the snap for the query. my query  want to optimize it more if one user is trying is log in from more than 2-3 country than it will trigger. can you please help me with the query    thanks  debjit   
I followed a tutorial on how to create an alert for a failed root login by typing "failed password for root" The alert is created but I want to see the alert be triggered. I'm working on a VM, what's... See more...
I followed a tutorial on how to create an alert for a failed root login by typing "failed password for root" The alert is created but I want to see the alert be triggered. I'm working on a VM, what's the best way to see the alert in action?
  We have been experiencing unusually high memory usage on some of our domain controllers. The culprit here is Splunk process splunk-MonitorNoHandle.exe. Here is the report of the memory usage of t... See more...
  We have been experiencing unusually high memory usage on some of our domain controllers. The culprit here is Splunk process splunk-MonitorNoHandle.exe. Here is the report of the memory usage of the domain controllers: DC1 splunk-MonitorNoHandle.exe   17724   Services 0   14,993,012 K DC2 splunk-MonitorNoHandle.exe   53268   Services 0   38,927,688 K DC3 splunk-MonitorNoHandle.exe   16164   Services 0   43,997,828 K
We are newer customers to the platform and are beginning our journey on implementing APM on SOC/SignalFx in the cloud. As part of that journey we are creating the base for our alerting capabilities ... See more...
We are newer customers to the platform and are beginning our journey on implementing APM on SOC/SignalFx in the cloud. As part of that journey we are creating the base for our alerting capabilities and learning how to integrate with our AIOps solution, Moogsoft. Under Data Management when adding a new Integration I see there are options for many popular solutions for notification services, but not Moogsoft. Are there any short term plans to add this? I know Splunk Cloud already has this direct integration as we are using it, so it feels like it should be a short path to adding this to Observability Cloud as well. I know there are webhooks available to us but customizing these for things like assignee groups and priority levels for the incidents it may create appear to be lacking. Thanks in advance for any details you can share.
Hello. To help with Text Classification, we are looking to utilize the BERT machine learning model.  Has anyone had experience incorporating new ML models (like BERT) into the MLTK toolkit app? Reg... See more...
Hello. To help with Text Classification, we are looking to utilize the BERT machine learning model.  Has anyone had experience incorporating new ML models (like BERT) into the MLTK toolkit app? Regards, Max  
Hello. Using the eval function, trying to add a new field to the Change data model.  When I try to add the new field (ie. time_millis=_time), no results come back from my tstats query.  When I perf... See more...
Hello. Using the eval function, trying to add a new field to the Change data model.  When I try to add the new field (ie. time_millis=_time), no results come back from my tstats query.  When I perform the same tstats query using SPL, I am able to get proper values (ie. timestamp with milliseconds).  Does anyone have suggestions on how to add new fields to an existing CIM data model?  Thanks in advance for any advice. Regards, Max    
Hi, I'm curious if anyone has a query that can help provide some insight into something I am trying to figure out.  The issue is regarding a user that was not a member of the Admin's security group o... See more...
Hi, I'm curious if anyone has a query that can help provide some insight into something I am trying to figure out.  The issue is regarding a user that was not a member of the Admin's security group on 5/6/22 but did on 6/2/22.  For the life of me, I cannot find out who added this user to that group.  I'm using the following query, but it's not providing anything meaningful.  Any help is solving this mystery is greatly appreciated. eventtype=wineventlog_security (EventCode=4727 OR EventCode=4730 OR EventCode=4731 OR EventCode=4734 OR EventCode=4735 OR EventCode=4737 OR EventCode=4744 OR EventCode=4745 OR EventCode=4748 OR EventCode=4749 OR EventCode=4750 OR EventCode=4753 OR EventCode=4754 OR EventCode=4755 OR EventCode=4758 OR EventCode=4759 OR EventCode=4760 OR EventCode=4763 OR EventCode=4764) | stats count by _time,Security_ID,EventCodeDescription,member_dn | rename member_dn as Change_Made_By        
Good morning/afternoon/evening, I have a field (registeredIp) that sometimes will not have an IP address in it, it will be an error message instead.  I use this field as my primary key for removing... See more...
Good morning/afternoon/evening, I have a field (registeredIp) that sometimes will not have an IP address in it, it will be an error message instead.  I use this field as my primary key for removing duplicates so I need this field to have the IP.  I also capture all associated IPs (management cards, multi homed NICs, etc.) that show the IP as a mv field array such as in this example: ipAddress: (10.42.103.94,172.19.22.224,143.182.146.182,10.9.35.59) I've used an IF statement with MATCH to get the first IP address (usually the production IP I need) but it only returns true in the registeredIp field. | eval registrationIp=if(registrationIp="null" OR registrationIp="Singular expression refers to nonexistent object.",match(ipAddress,"^(?:[0-9]{1,3}\.){3}[0-9]{1,3}"),registrationIp) In this case I need registrationIp to equal 10.42.103.94, not True. Any help getting the first IP address into this field would be appreciated.  Thanks!  
Hello Splunk community, I need some help with the following:    I have a .csv file that is being created at a Pacific Time Zone, and the hour and date of the events I need to track are 2 separate... See more...
Hello Splunk community, I need some help with the following:    I have a .csv file that is being created at a Pacific Time Zone, and the hour and date of the events I need to track are 2 separate fields in this .csv name : Date ( 09/12/2022) and "Begin Time" (06:30).  I want to table my events based on those two fields, as my time reference and not the _time  (2022-12-09T10:41:02.000-05:00 )when the file was exported to Splunk which is actually a different time zone ( eastern) What would it be the best way using those two fiels ( Date & "Begin Time") to accuratelly display the events in my .csv   thanks for your help
I have a subsearch that is used to pull user, and start and expiration time fields.  I want to use the two time fields from the sub search to be the time frame the outter search uses to pull events. ... See more...
I have a subsearch that is used to pull user, and start and expiration time fields.  I want to use the two time fields from the sub search to be the time frame the outter search uses to pull events. I'm not familiar with how to do this. earliest=<ealiest_from_subsearch> latest=<latest_from_subsearch index=myindex sourcetype=my_st_2 <my spl> | join user [ search index=myindex sourcetype=my_st <my spl> | eval earliest = strptime(StartTime, "%Y-%m-%dT%H:%M:%S.%N") -18000, latest = strptime(ExpirationTime, "%Y-%m-%dT%H:%M:%S.%N") -18000 | fields user earliest latest user_role ] table user role failure_code failure_reason Thanks for the help and guidance.
Regex working fine in standalone splunk but not in clustered environment. 1) Indexer conponent of app-->test_log_idx having the indexes.conf and  props.conf kept at default directory with local dire... See more...
Regex working fine in standalone splunk but not in clustered environment. 1) Indexer conponent of app-->test_log_idx having the indexes.conf and  props.conf kept at default directory with local directory empty is below.  [test:sanetiq:log] CHARSET = AUTO DATETIME_CONFIG = EXTRACT-log_level = \[\d+\]\s(?P<log_level>[^\s]+) EXTRACT-message = \]\s-\s(?P<message>.+) EXTRACT-process_name = \[\d+\]\s.+\s\s(?P<process_name>.+)\s\[ EXTRACT-sanetiq_label_type = Label\sType\s=\s(?P<sanetiq_label_type>[^\s]+) EXTRACT-sanetiq_mask_template = Mask\sTemplate\s=\s(?P<sanetiq_mask_template>[^\s]+) EXTRACT-sanetiq_print_request_id = Print\sRequest\s=\s(?P<sanetiq_print_request_id>[^\s]+) EXTRACT-sanetiq_printer_name = Printer\s=\s(?P<sanetiq_printer_name>[^\s]+) NO_BINARY_CHECK = true category = Custom disabled = false pulldown_type = true 2) UF component of app-->deployed to UF is test_log_uf having inputs.conf placed in default and local directory is empty [monitor://D:\Tab\Server\data\SanetiqLogger\*log*] index=test_log_data source=test:sanetiq:log 3) Search head component of app-->test_log_sh having same props.conf as mentioned above Sample data 2022-12-09 16:02:04,304 [2452022120993750] INFO SanetiqLogger [(null)] - Lppx2Manager.QuitLppx2() method ends 2022-12-09 16:02:04,040 [2452022120993750] INFO SanetiqLogger [(null)] - Closing all documents in Codesoft Instance 2022-12-09 16:02:04,038 [2452022120993750] INFO SanetiqLogger [(null)] - Lppx2Manager.connectToLppx2() method begins 2022-12-09 16:02:04,037 [2452022120993750] INFO SanetiqLogger [(null)] - Get Active Codesoft Instance to quit : PID - 30812 2022-12-09 16:02:04,035 [2452022120993750] INFO SanetiqLogger [(null)] - Lppx2Manager.QuitLppx2() method begins 2022-12-09 16:02:04,030 [2452022120993750] INFO SanetiqLogger [(null)] - Finish Codesoft Instance PID : 30812 1 Labels printed Printer = Zebra ZM400 (203 dpi)- ABCDB362 Mask Template = DI AMBRS-IDENT REGLEMENTEE Label Type = DI IDENT REGLEMENTEE 2022-12-09 16:02:03,480 [2452022120993750] INFO SanetiqLogger [(null)] - PRINT : Print Request = 3855021 2022-12-09 16:01:56,936 [2452022120993750] INFO SanetiqLogger [(null)] - Lppx2Manager.connectToLppx2() method ends 2022-12-09 16:01:56,928 [2452022120993750] INFO SanetiqLogger [(null)] - Codesoft Instance Created : PID - 30812 2022-12-09 16:01:52,127 [2452022120993750] INFO SanetiqLogger [(null)] - Lppx2Manager.connectToLppx2() method begins 2022-12-09 16:01:50,708 [2452022120993750] INFO SanetiqLogger [(null)] - End of CheckIntegrity(string strUserMatricule) 2022-12-09 16:01:50,675 [2452022120993750] INFO SanetiqLogger [(null)] - Satrt of CheckIntegrity(string strUserMatricule) 2022-12-09 16:01:50,670 [2452022120993750] INFO SanetiqLogger [(null)] - Check Integrity of printTask 1604231 printrequest 3855021 Imported Print Requests : 1 2022-12-09 15:56:27,266 [2412022120993750] INFO SanetiqLogger [(null)] - Imported Data Lines : 1 2022-12-09 15:56:23,731 [2412022120993750] INFO SanetiqLogger [(null)] - Data Import File E:\sanetiq\sanofi\etudes\ficentree\AMBXSQP\GPAO\TPSREEL\SANIDENT.1 correctly deleted at Sanetiq.BusinessFramework.BusinessObjects.PrintModule.Loop() at Sanetiq.BusinessFramework.BusinessObjects.PrintTask.CheckIntegrity(String strUserMatricule) 2022-12-09 15:51:26,540 [2452022120993750] ERROR SanetiqLogger [(null)] - ERROR : at Sanetiq.BusinessFramework.BusinessObjects.PrintTask.checkPrinterAndMaskTemplateCompatibility(Printer printer, MaskTemplate maskTemplate, String strUserMatricule) 2022-12-09 15:51:26,532 [2452022120993750] ERROR SanetiqLogger [(null)] - Service Print Error2 : PrintRequest ID=3855018, Error=LABEL_FORMAT_INCOMPATIBLE 2022-12-09 15:51:26,367 [2452022120993750] INFO SanetiqLogger [(null)] - Satrt of CheckIntegrity(string strUserMatricule) 2022-12-09 15:51:26,363 [2452022120993750] INFO SanetiqLogger [(null)] - Check Integrity of printTask 1604228 printrequest 3855018 2022-12-09 15:48:58,989 [2262022120993750] INFO SanetiqLogger [(null)] - Lppx2Manager.QuitLppx2() method ends 2022-12-09 15:48:58,736 [2262022120993750] INFO SanetiqLogger [(null)] - Closing all documents in Codesoft Instance 2022-12-09 15:48:58,732 [2262022120993750] INFO SanetiqLogger [(null)] - Lppx2Manager.connectToLppx2() method begins 2022-12-09 15:48:58,728 [2262022120993750] INFO SanetiqLogger [(null)] - Get Active Codesoft Instance to quit : PID - 4340 2022-12-09 15:48:58,724 [2262022120993750] INFO SanetiqLogger [(null)] - Lppx2Manager.QuitLppx2() method begins 2022-12-09 15:48:58,717 [2262022120993750] INFO SanetiqLogger [(null)] - Finish Codesoft Instance PID : 1234 1 Labels printed Printer = Zebra ZM400 (203 dpi) - BOX5 Mask Template = TICKET-PESEE-300 Label Type = Tickets BOX5 2022-12-09 15:48:58,152 [2262022120993750] INFO SanetiqLogger [(null)] - PRINT : Print Request = 3855017 2022-12-09 15:48:47,883 [2262022120993750] INFO SanetiqLogger [(null)] - Lppx2Manager.connectToLppx2() method ends 2022-12-09 15:48:47,879 [2262022120993750] INFO SanetiqLogger [(null)] - Codesoft Instance Created : PID - 4340 2022-12-09 15:48:42,148 [2262022120993750] INFO SanetiqLogger [(null)] - Lppx2Manager.connectToLppx2() method begins 2022-12-09 15:48:41,272 [2262022120993750] INFO SanetiqLogger [(null)] - End of CheckIntegrity(string strUserMatricule) 2022-12-09 15:48:41,211 [2262022120993750] INFO SanetiqLogger [(null)] - Satrt of CheckIntegrity(string strUserMatricule) 2022-12-09 15:48:41,204 [2262022120993750] INFO SanetiqLogger [(null)] - Check Integrity of printTask 1234567 printrequest 1234567 Imported Print Requests : 1 2022-12-09 15:48:40,389 [2222022120993750] INFO SanetiqLogger [(null)] - Imported Data Lines : 1 2022-12-09 15:48:40,276 [2222022120993750] INFO SanetiqLogger [(null)] - Data Import File E:\sanetiq\sanofi\etudes\ficentree\AMBXSQP\XFP\BOX5\ticpes correctly deleted at Sanetiq.BusinessFramework.BusinessObjects.PrintModule.Loop() at Sanetiq.BusinessFramework.BusinessObjects.PrintTask.CheckIntegrity(String strUserMatricule) 2022-12-09 15:53:48,067 [2452022120993750] ERROR SanetiqLogger [(null)] - ERROR : at Sanetiq.BusinessFramework.BusinessObjects.PrintTask.checkPrinterAndMaskTemplateCompatibility(Printer printer, MaskTemplate maskTemplate, String strUserMatricule) 2022-12-09 15:53:48,060 [2452022120993750] ERROR SanetiqLogger [(null)] - Service Print Error2 : PrintRequest ID=3855020, Error=LABEL_FORMAT_INCOMPATIBLE 2022-12-09 15:53:47,909 [2452022120993750] INFO SanetiqLogger [(null)] - Satrt of CheckIntegrity(string strUserMatricule) 2022-12-09 15:53:47,905 [2452022120993750] INFO SanetiqLogger [(null)] - Check Integrity of printTask 1604230 printrequest 3855020 2022-12-09 15:52:20,553 [2262022120993750] INFO SanetiqLogger [(null)] - Lppx2Manager.connectToLppx2() method ends 2022-12-09 15:52:20,548 [2262022120993750] INFO SanetiqLogger [(null)] - Codesoft Instance Created : PID - 1556 2022-12-09 15:52:16,395 [2262022120993750] INFO SanetiqLogger [(null)] - Lppx2Manager.connectToLppx2() method begins 2022-12-09 15:52:15,859 [2262022120993750] INFO SanetiqLogger [(null)] - End of CheckIntegrity(string strUserMatricule) 2022-12-09 15:52:15,825 [2262022120993750] INFO SanetiqLogger [(null)] - Satrt of CheckIntegrity(string strUserMatricule) 2022-12-09 15:52:15,822 [2262022120993750] INFO SanetiqLogger [(null)] - Check Integrity of printTask 1604229 printrequest 3855019 Imported Print Requests : 1 2022-12-09 15:52:14,912 [2222022120993750] INFO SanetiqLogger [(null)] - Imported Data Lines : 1 2022-12-09 15:52:14,847 [2222022120993750] INFO SanetiqLogger [(null)] - Data Import File E:\sanetiq\sanofi\etudes\ficentree\AMBXSQP\XFP\BOX5\ticpes correctly deleted 2022-12-09 15:52:30,245 [2262022120993750] INFO SanetiqLogger [(null)] - Lppx2Manager.QuitLppx2() method ends 2022-12-09 15:52:29,871 [2262022120993750] INFO SanetiqLogger [(null)] - Closing all documents in Codesoft Instance 2022-12-09 15:52:29,866 [2262022120993750] INFO SanetiqLogger [(null)] - Lppx2Manager.connectToLppx2() method begins 2022-12-09 15:52:29,861 [2262022120993750] INFO SanetiqLogger [(null)] - Get Active Codesoft Instance to quit : PID - 1556 2022-12-09 15:52:29,855 [2262022120993750] INFO SanetiqLogger [(null)] - Lppx2Manager.QuitLppx2() method begins 2022-12-09 15:52:29,848 [2262022120993750] INFO SanetiqLogger [(null)] - Finish Codesoft Instance PID : 1556 1 Labels printed Printer = Zebra ZM400 (203 dpi) - BOX5 Mask Template = TICKET-PESEE-300 Label Type = Tickets BOX5 2022-12-09 15:52:29,213 [2262022120993750] INFO SanetiqLogger [(null)] - PRINT : Print Request = 3855019 2022-12-09 15:43:03,149 [2452022120993750] INFO SanetiqLogger [(null)] - Lppx2Manager.QuitLppx2() method ends 2022-12-09 15:43:02,688 [2452022120993750] INFO SanetiqLogger [(null)] - Closing all documents in Codesoft Instance 2022-12-09 15:43:02,682 [2452022120993750] INFO SanetiqLogger [(null)] - Lppx2Manager.connectToLppx2() method begins 2022-12-09 15:43:02,676 [2452022120993750] INFO SanetiqLogger [(null)] - Get Active Codesoft Instance to quit : PID - 18592 2022-12-09 15:43:02,670 [2452022120993750] INFO SanetiqLogger [(null)] - Lppx2Manager.QuitLppx2() method begins 2022-12-09 15:43:02,662 [2452022120993750] INFO SanetiqLogger [(null)] - Finish Codesoft Instance PID : 18592 1 Labels printed Printer = ZEBRA 105S/Se - Fab Multi-produits - Vracs avec picto Mask Template = SHP-END Label Type = 01-Identification Vracs Int avec picto Multi-Pro 2022-12-09 15:43:00,828 [2452022120993750] INFO SanetiqLogger [(null)] - PRINT : Print Request = 3855015 1 Labels printed Printer = L_LPAMB406 Mask Template = LUNA_AMB_PREL_AC_SEP Label Type = Prélèvements AC Séparateur 2022-12-09 15:43:00,336 [2252022120993750] INFO SanetiqLogger [(null)] - PRINT : Print Request = 3855014 2022-12-09 15:42:58,512 [2452022120993750] INFO SanetiqLogger [(null)] - Print with Codesoft Instance PID : 18592 at Sanetiq.BusinessFramework.BusinessObjects.PrintModule.Loop() at Sanetiq.BusinessFramework.BusinessObjects.PrintTask.CheckIntegrity(String strUserMatricule)
I am having an issue with the Host name showing up in all capital letters on Splunk Cloud, but the Splunk UF is showing its name in lower case for both host and the Splunk instance name. This is occu... See more...
I am having an issue with the Host name showing up in all capital letters on Splunk Cloud, but the Splunk UF is showing its name in lower case for both host and the Splunk instance name. This is occurring on a Windows 2016 platform. I have verified that the name is all lower case in the server.conf file and just for gee whiz, I ran the "splunk.exe clone-prep-clear-config" command on this server and nothing changed.  I have verified via the system screen and the command line that the servers name is lowercase. I ran and IPconfig /all and it too is showing the host name as lower case and NETBIOS has been disabled on this server. Also using the Nbtstat commands I have validated that the NetBios is disabled on this server. Not sure how to proceed from here. Any advice would be greatly appreciated.
Example of issue encountering: Search one returns a row with all the fields populated | makeresults count=1 | eval tmp_field1="abc" | lookup kvstore_name field1 AS tmp_field1   Search two retur... See more...
Example of issue encountering: Search one returns a row with all the fields populated | makeresults count=1 | eval tmp_field1="abc" | lookup kvstore_name field1 AS tmp_field1   Search two returns a row with most of the fields empty (even though it is a search of the same row in the kvstore - just using a different field) | makeresults count=1 | eval tmp_field2="xyz" | lookup kvstore_name field2 AS tmp_field2 What could cause the results described above? (any recommendations would be greatly appreciated)    
Hi all, I'm currently working on creating an alert for any time a user mounts an ISO. My core search works exactly as intended, but I'm having trouble creating a desired subsearch. Both searches ru... See more...
Hi all, I'm currently working on creating an alert for any time a user mounts an ISO. My core search works exactly as intended, but I'm having trouble creating a desired subsearch. Both searches run from the same index, but the core search will not produce the name of the workstation as it is not present in the data returned by the sourcetype in use. There is another sourcetype (same index) that does include this as a field titled "ComputerName", and there is an "ID" field that correlates between both sourcetypes. So here is my core search: index=[indexname] sourcetype=[sourcetype] [search parameters] | table EventType FileName ID IndexTime How can I build a subsearch that queries the second sourcetype by the corresponding ID value and produces the ComputerName value to add to the table? Thanks!