Hi,
I am trying to see when an event happens on source=A in between 2 events on source=VPN.
My VPN source provides two different events for "login" and "logout".
I want to link the two sources by usernames, but source=A has them listed differently as "app_user". I currently use a lookup table to return the type of username I want "ad_id". My VPN source has the user listed as 'citrix_user'.
source=A has fields called 'app_user' and a few other non-important sources.
source=VPN has fields called _time, citrix_user, and action. Action is either 'LOGIN' or 'LOGOUT'.
This is what I have but it is not mapping the citrix_user correctly. The status should return "ok" if there is a match.
source="A" | lookup lookuptable.csv app_user | join ad_id [search source=VPN | fields + citrix_user, _time, action] | eval status = if((ad_id=citrix_user), "alert", "ok") | table _time, trader_login, ad_id, citrix_user, action, status
... View more