In a hurry I responded this as Answer earlier so I ask moderator to ignore it if possible.
Back to the question. Somesoni2 your answer got me some results and I thank you on that but still it's not quite what I need.
New search looks like this:
[search index="A" source="/var/log/splunkusers" host="XYZ" user="*"] OR [search index="B" source="/var/log/secure" host="XYZ" user="*" | dedup user] | table user host _time source
and as a result I get:
userA XYZ 2015-09-16 16:11:16 /var/log/secure
userB XYZ 2015-09-23 15:24:38 /var/log/secure
userC XYZ 2015-10-12 14:00:54 /var/log/secure
userA XYZ 2015-10-14 07:42:29 /var/log/splunkusers
userB XYZ 2015-10-14 07:42:29 /var/log/splunkusers
userC XYZ 2015-10-14 07:42:29 /var/log/splunkusers
userD XYZ 2015-10-14 07:42:29 /var/log/splunkusers
userF XYZ 2015-10-14 07:42:29 /var/log/splunkusers
and result what I need is:
userD XYZ 2015-10-14 07:42:29 /var/log/splunkusers
userF XYZ 2015-10-14 07:42:29 /var/log/splunkusers
So basically I need only users from source /var/log/splunkusers that are not in /var/log/secure
you suggested use of:
| eventstats values(source) as source
but it just groups me sources and there is no row with only one source so that I could use:
...| where mvcount(source) =1
as you suggested. I get what you wanted to achieve and it would be ok. Can you please check my new search and example of results I get and results I need? It might give you better idea for possible solution.
... View more