×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Chrisla9
Explorer
Member since: ‎02-24-2016
‎06-05-2020
Community Statistics
Posts 3
Solutions 0
Karma Given 0
Karma Received 1
Member Since ‎02-24-2016
View All

Re: How do I join data from two indexes on a certa...

by in Splunk Search
‎02-25-2016 06:54 AM
‎02-25-2016 06:54 AM
Thanks for your help, I should have seen the field name issue! I've managed to sort this out using: index="my _records" gw_action=Allowed user="*@*" |rename user TO Logon_Account | join type=inner Logon_Account [search index=wineventlog] | table time_seen, Logon_Account, Source_Workstation, category, crime_server, gw_action, src, record_id However some checks I made suggested the join was not working correctly as running separate searches in my_records and wineventlog showed users appearing in wineventlog which didn't appear in the joined search. Further investigation showed the Logon_Account was sometimes partly in lowercase and sometimes partly in uppercase (e.g. ACCOUNT.NAME@mydomain.net). I have tried using eval ln=lower(Logon_Account) and then renaming the field to ln like so index="my_records" gw_action=Allowed user="*@*" |rename user TO ln| join type=inner eval (ln=lower(Logon_Account) [search index=wineventlog] | dedup record_id| table time_seen, ln, Source_Workstation, category, crime_server, gw_action, src, record_id or index="seculert_records" gw_action=Allowed user="*@*" |rename user TO ln| join type=inner Logon_Account [search index=wineventlog |eval ln=lower(Logon_Account)] | dedup record_id| table time_seen, ln, Source_Workstation, category, crime_server, gw_action, src, record_id But neither of these seems to work as the Source_Workstation is not populated where as it is for the first search but only for some records. Any ideas where I'm going wrong please? Thanks ... View more

Re: How do I join data from two indexes on a certa...

by in Splunk Search
‎02-24-2016 01:29 PM
‎02-24-2016 01:29 PM
Thanks, I've been trying to sort through this and I found the field issue. If I break down the search and start with the first one: index="my_records" gw_action=Allowed user="@" |dedup record_id | table time_seen, category, crime_server, gw_action, src, record_id This returns the records I want but doesn't have the information from the windows event log. So, I stayed with the join and set the join on the Logon_Account because both the wineventlog and my_records have this field index="my_records" gw_action=Allowed user="@" |dedup record_id | join type=inner "Logon_Account" [search index=wineventlog] | table time_seen, Logon_Account, Source_Workstation, category, crime_server, gw_action, src, record_id Now I'm getting the same fields returned but the extra fields I have added from the wineventlog (Logon_Account, Source_Workstation) are not populated in the table Any ideas why this is please? Thanks in anticipation ... View more

How do I join data from two indexes on a certain f...

by in Splunk Search
‎02-24-2016 06:47 AM
1 Karma
‎02-24-2016 06:47 AM
1 Karma
Hi, Quite new to Splunk and need some help please. I have an event which triggers an alert in Splunk and brings back almost all the information I need .... all but one bit which is in another index (Windows Event Log) Here is the search I'm using. index="my_records" action=Allowed user="*@*" | rename user TO "Account Name" | join "Account Name" [search index=wineventlog] | table time_seen, "Account Name", category, server, action, src, record_id I was hoping this would join the two indexes on the "Account Name" field, but it returns no rows 😞 If I remove the join then 4 rows are returned. I know there will be a lot of rows in wineventlog, so the join is a one to many, I hope to fine tune this eventually by selecting just certain eventtypes, but right now I'd just like to see some data to confirm I'm on the right track. Thanks in anticipation of your help Chris ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:04 AM
Karma from
View All