About lth186

lth186 · ‎02-08-2019

There are multiple rows, but one IP_Address has only one single hostname, for example IP_Address1, PC1, DC1 IP_Address1, PC1, DC2 IP_Address2, PC2, DC2 IP_Address2, PC2, DC2 IP_Address3, PC3, DC1

lth186 · ‎01-30-2019

Yes I have

lth186 · ‎01-29-2019

@renjith.nair , Unfortunately it doesn't seems to work, the criteria in the second search (DomainController="DC1") doesn't seem to be taken into account, and only the fields from one sourcetype display correctly. Thanks.

lth186 · ‎01-29-2019

Hello, I'm trying to correlate events from 2 different source types, and 2 searches for example: sourcetypeA has fields IP_Address, MAC_Address, User sourcetypeB has the following fields: Time, IPAdd, hostname, DomainController. The IP Address field name is different from sourcetype A, ie: IPAdd, there are multiple events with the same pair, and I'm only searching events on a particular DomainController. I would like to display a table with the following result with one line for each IP Address: IP_Address, MAC_Address, User, hostname, DomainController I tried to use a subsearch like this: sourcetype=sourcetypeA [search sourcetype=sourcetypeB DomainController="DC1" | rename IPAdd as IP_Address | table IP_Address ] | table Time, IP_Address, MAC_Address, User, hostname, DomainController but it doesn't work. It only displays the values from the main search (SourcetypeA) (the fields from sourcetypeB are empty). I'm not sure if a subsearch is the best way to do this? Any clue? Thanks.

Posts	4
Solutions	0
Karma Given	0
Karma Received	0
Member Since	‎01-29-2019

Online Status	Offline
Date Last Visited	‎06-05-2020 02:04 AM

In Splunk Enterprise Security, how do you use a su...

Re: In Splunk Enterprise Security, how do you use ...

Re: In Splunk Enterprise Security, how do you use ...

Re: In Splunk Enterprise Security, how do you use ...

In Splunk Enterprise Security, how do you use a su...