I am struggling with subsearches and getting and correlating data in a single output. I need to figure out which users are using external devices. I have two indexes: AD authentication logs (computer name and user-id) Logs for device activity (computer name only) The device activity logs only reports the computer names and I want to have a single table that lists the computer name and the user names along with additional fields from the activity logs. I have the following search: eventtype=device_activity_index sourcetype=syslog_device_control ExternalDeviceType=USB*
[search index="windows_dc" Source_Workstation!="server-*"
| fields Source_Workstation,user]
| table _time, Tenant, EventName, DeviceName, Source_Workstation, user,ExternalDeviceType, ExternalDeviceName, ExternalDeviceVendorID, ExternalDeviceProductID, ExternalDeviceSN, ZoneNames Each search on their own works just fine and returns results. I have specified a specific computer name (Source_Workstation for AD and DeviceName for the activity log) for both searches and confirmed that when they are individually run both indexes contains logs for the same system. I have tried using | append [search …] as well as | where DeviceName=[ search …] and I get 0 results. As I mentioned before, I have been struggling with getting subsearches to work and despite reading the Splunk documentation, Googling, and YouTube videos something is just not clicking. I am just not sure what is not clicking. Any help on what I could try to get the above search to work would be greatly appreciated.
... View more