cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
dkingsland967
Observer
Member since: ‎01-07-2020
‎12-09-2022
Community Statistics
Posts 1
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎01-07-2020
Activity Feed
View All

How to produce a field value from a subsearch?

by in Splunk Search
‎12-09-2022 07:17 AM
‎12-09-2022 07:17 AM
Hi all, I'm currently working on creating an alert for any time a user mounts an ISO. My core search works exactly as intended, but I'm having trouble creating a desired subsearch. Both searches run from the same index, but the core search will not produce the name of the workstation as it is not present in the data returned by the sourcetype in use. There is another sourcetype (same index) that does include this as a field titled "ComputerName", and there is an "ID" field that correlates between both sourcetypes. So here is my core search: index=[indexname] sourcetype=[sourcetype] [search parameters] | table EventType FileName ID IndexTime How can I build a subsearch that queries the second sourcetype by the corresponding ID value and produces the ComputerName value to add to the table? Thanks! ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎12-09-2022 11:25 AM