×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
dyolmc
Explorer
Member since: ‎09-12-2012
‎05-08-2024
Community Statistics
Posts 3
Solutions 0
Karma Given 1
Karma Received 0
Member Since ‎09-12-2012
View All

Re: search results using data from two indexes

by in Splunk Search
‎05-08-2024 06:00 AM
‎05-08-2024 06:00 AM
Thanks for your help 🙂  Combining the data sets using "| stats values(*) as * by Account_Name"  I was able to get what I'm looking for: (index="wineventlog" AND sourcetype="wineventlog" AND EventCode=4740) OR (index="activedirectory" AND sourcetype="ActiveDirectory" AND sAMAccountName=* AND OU="Test Users") | eval Account_Name = lower( coalesce( Account_Name, sAMAccountName)) | search Account_Name=* | stats values(*) as * by Account_Name | where EventCode=4740 AND OU="Test Users" | fields Account_Name EventCode OU ... View more

search results using data from two indexes

by in Splunk Search
‎05-07-2024 03:18 PM
‎05-07-2024 03:18 PM
I have a wineventlog index to alert on locked accounts (EventCode=4740), but want to limit this based on certain users.  The data for the wineventlog index is pretty limited, so it looks like I would have to reference another index like activedirectory, that contains similar data.  I was thinking I could reference the "OU" field in the activedirectory index so that this is possible, but I'm struggling  on what I need to combine in order to make this search work.  I've looked at using coalesce, and can get results from both indexes/sourcetypes, but can't seem to just limit my search using EventCode=4740 and OU=Test Users Group. (index="wineventlog" AND sourcetype="wineventlog" AND EventCode=4740) OR (index="activedirectory" AND sourcetype="ActiveDirectory" AND sAMAccountName=*) | eval Account_Name = lower( coalesce( Account_Name, sAMAccountName)) | search Account_Name="test-user" Some of the key fields that I'm trying to reference from the indexes are as follows: index = wineventlog sourcetype = wineventlog EventCode=4740 Security_ID = domain\test-user Account_Name = test-user Account_Name = dc index = activedirectory sourcetype = ActiveDirectory Account_Name = test-user sAMAccountName = test-user OU = Test Users Group ... View more
Labels

Re: EventCode="1000" Getting Application crashing ...

by in All Apps and Add-ons
‎05-05-2020 05:52 AM
‎05-05-2020 05:52 AM
Did you ever figure why this was occurring? Noticing the same thing. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎05-08-2024 03:32 PM
Karma given to
View All