×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
jdmeek
Engager
Member since: ‎11-06-2024
‎11-07-2024
Community Statistics
Posts 2
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎11-06-2024
Activity Feed
Topics I've Started
View All

Re: Trouble with time in join

by in Splunk Search
‎11-06-2024 11:56 AM
‎11-06-2024 11:56 AM
Thanks!   ... View more

Trouble with time in join

by in Splunk Search
‎11-06-2024 10:54 AM
‎11-06-2024 10:54 AM
I have an index with events containing a src_ip but not a username for the event.   I have another index of VPN auth logs that has the assigned IP and username.  But the VPN IPs are randomly assigned. I need to get the username from the VPN logs where vpn.client_ip matches event.src_ip.  But I need to make sure that the returned username is the one that was assigned during the event.  In short, I need to get the last vpn client_ip assignment to match the event.src_ip BEFORE the event so the vpn.username would be the correct one for event.src_ip. Here's a generic representation of my current query but I get nothing back. index=event ... | join left=event right=vpn where event.src_ip=vpn.client_ip max=1 usetime=true earlier=true [search index=vpn]    ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎11-07-2024 04:53 AM