Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do I compare two indexes with the same value and a different field name?

rockzers
Path Finder
‎08-25-2022 02:28 AM

i installed universal forwarder 4 machine this event log is getting my pc

i want to compare my event log and universal forwarder ip address as where i receive so i use to lookup index="_internal" to get hostname and compare my event log host

event log index

index=*  EventCode=4624

the check index of the universal forwarder is

index=_internal


query:

index=_internal fwdType=uf | table hostname sourceHost | rename hostname as uf_username sourceHost as uf_hostname | join sourceHost [search index=* EventCode=4624 Source_Network_Address=* Account_Name=Administrator Account_Domain=* | table Source_Network_Address Account_Name host]


how to compare this and if the host name matches both indexes and get the ip address from index=_internal fwdType=uf sourceHost and  index=*  Source_Network_Address

Labels (2)
Tags (3)
0 Karma
Reply

maciep
Champion
‎09-01-2022 05:24 AM

I believe if you want to use join, then the field names need to be the same.  So since you rename sourceHost to uf_hostname, then joining on sourceHost won't work.  You would need to join on uf_hostname instead and then also rename the "join" field in the second search to also be called uf_hostname.

That said, if I understand what you're trying to do (which i may not) and you have dns available, then you could try using a dns lookup instead....so just lookup the ip that is in the Source_Network_Address to get the hostname directly?  No need to join to internal logs then...

index=* EventCode=4624
| lookup dnslookup clientip AS Source_Network_Address OUTPUT clienthost AS uf_hostname_or_whatever

 

Or something to that effect. 

0 Karma
Reply
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...