Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do I compare two indexes with the same value and a different field name?

rockzers
Path Finder
‎08-25-2022 02:28 AM

i installed universal forwarder 4 machine this event log is getting my pc

i want to compare my event log and universal forwarder ip address as where i receive so i use to lookup index="_internal" to get hostname and compare my event log host

event log index

index=*  EventCode=4624

the check index of the universal forwarder is

index=_internal


query:

index=_internal fwdType=uf | table hostname sourceHost | rename hostname as uf_username sourceHost as uf_hostname | join sourceHost [search index=* EventCode=4624 Source_Network_Address=* Account_Name=Administrator Account_Domain=* | table Source_Network_Address Account_Name host]


how to compare this and if the host name matches both indexes and get the ip address from index=_internal fwdType=uf sourceHost and  index=*  Source_Network_Address

Labels (2)
Tags (3)
0 Karma
Reply

maciep
Champion
‎09-01-2022 05:24 AM

I believe if you want to use join, then the field names need to be the same.  So since you rename sourceHost to uf_hostname, then joining on sourceHost won't work.  You would need to join on uf_hostname instead and then also rename the "join" field in the second search to also be called uf_hostname.

That said, if I understand what you're trying to do (which i may not) and you have dns available, then you could try using a dns lookup instead....so just lookup the ip that is in the Source_Network_Address to get the hostname directly?  No need to join to internal logs then...

index=* EventCode=4624
| lookup dnslookup clientip AS Source_Network_Address OUTPUT clienthost AS uf_hostname_or_whatever

 

Or something to that effect. 

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

The Defining Technology Movement of Our Lifetime The advent of agentic AI is arguably the defining technology ...

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...