How do I compare two indexes with the same value a...

rockzers · ‎08-25-2022

i installed universal forwarder 4 machine this event log is getting my pc

i want to compare my event log and universal forwarder ip address as where i receive so i use to lookup index="_internal" to get hostname and compare my event log host

event log index

index=*  EventCode=4624

the check index of the universal forwarder is

index=_internal

query:

index=_internal fwdType=uf | table hostname sourceHost | rename hostname as uf_username sourceHost as uf_hostname | join sourceHost [search index=* EventCode=4624 Source_Network_Address=* Account_Name=Administrator Account_Domain=* | table Source_Network_Address Account_Name host]

how to compare this and if the host name matches both indexes and get the ip address from index=_internal fwdType=uf sourceHost and index=* Source_Network_Address

maciep · ‎09-01-2022

I believe if you want to use join, then the field names need to be the same. So since you rename sourceHost to uf_hostname, then joining on sourceHost won't work. You would need to join on uf_hostname instead and then also rename the "join" field in the second search to also be called uf_hostname.

That said, if I understand what you're trying to do (which i may not) and you have dns available, then you could try using a dns lookup instead....so just lookup the ip that is in the Source_Network_Address to get the hostname directly? No need to join to internal logs then...

index=* EventCode=4624
| lookup dnslookup clientip AS Source_Network_Address OUTPUT clienthost AS uf_hostname_or_whatever

Or something to that effect.

How do I compare two indexes with the same value and a different field name?

correlation search

investigation

other

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?