I have the index=fortigate and there are two sourcetypes ("fgt_event" and "fgt_traffic"). index=fortigate sourcetype=fgt_event |stats count by user, assignip user assignip john 192.168.1.1 paul 192.168.1.2   index=fortigate soucetype=fgt_traffic | stats count by src srcport dest destport src srcport dest destport 192.168.1.1 1234 10.0.0.1 22 192.168.1.2 4321 10.0.0.2 22 I want to correlate the result like_ user src (or) assignip srcport dest destport john 192.168.1.1 1234 10.0.0.1 22 paul 192.168.1.2 4321 10.0.0.2 22 I have learned SPL query like join,  mvappend, coalesce, subsearch ,etc. I tried a lot by combining the SPL functions to output. It doesn't still working. Please help me. Thanks. ... View more

Hello Sirs, I would like to know the most useful Splunk App that can be suitable for Linux Auditd events. I have Linux devices such as Mangement Servers, DNS, HTTP Servers, Firewall, etc. These logs carried by both Syslog Forwarder and Heavy forwarders.  Please suggest how to monitor the audit logs by which Splunk App? Thanks a bunch. ... View more

I downloaded and installed these apps from Splunkbase. https://splunkbase.splunk.com/app/4232 https://splunkbase.splunk.com/app/2642 As per the instructions, I added the sourcetype=linux_audit to the local "auditd_events" eventtype in TA and linux_audit to list of sourcetypes in TA-linux_auditd/lookups/auditd_sourcetypes.csv but the dashboard data is not showing up. My existing auditd events belong to the different sourcetype names and eventtype names.  For example,  I got the auditd events. index="linux_fw" sourcetype="syslog" eventtype="mycustom_audit_events" Therefore,  Do I need to add the sourcetype="syslog" to the local "auditd_events" eventtype in TA and add the syslog to list of sourcetypes in TA-linux_auditd/lookups/auditd_sourcetypes.csv ?? ... View more