AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |
Back to Blog
Splunk join with different sourcetype10/2/2023 Splunk specifically disclaims any liability and any actions resulting from your use of any information provided on Splunk Lantern. The user- and community-generated information, content, data, text, graphics, images, videos, documents and other materials made available on Splunk Lantern is Community Content as provided in the terms and conditions of the Splunk Website Terms of Use, and it should not be implied that Splunk warrants, recommends, endorses or approves of any of the Community Content, nor is Splunk responsible for the availability or accuracy of such. That’s why 97% of clients are repeat customers. And with hundreds of deployments under our belt, we can guarantee on-time and on-budget project delivery. Our battle-tested processes and methodology help companies with legacy systems get to the cloud faster, so they can be agile, reduce costs, and improve operational efficiencies. We guide clients’ decisions, quickly implement the right technologies with the right people, and keep them running for sustainable growth. Want to learn more about combining data sources in Splunk? Contact us today! TekStream accelerates clients’ digital transformation by navigating complex technology environments with a combination of technical expertise and staffing solutions. if you want to search on data that depends on what you have found in another dataset. Requires at least two searches that will be “unioned”ĭoes not allow use of operators within the base searchesĪllows both streaming and non-streaming operatorsĭoes only a single search for events that match specified criteriaĪppends results of the “subsearch” to the results of the primary searchīehaves like multisearch with streaming searches and like append with non-streaming You can combine these two searches into one using a subsearch. Requires a primary search and a secondary one Subject to a maximum of 50,000 result rows by defaultĭefault of 50,000 result rows with non-streaming searches. No limit to the number of rows that can be produced Results are interleaved based on the time field But I supposed the 'lightest' solution here would be to extract the correlationId as you did, extract the type of the call (Request/Response) and then do. In this case there's another command which you could use but it's also a 'bad one' - it's 'transaction'. Results are added to the bottom of the table First and foremost - don't use the 'join' command unless you absolutely cannot avoid it. Choose the most efficient method based on the command types needed The table below shows a comparison of the four methods: ORĬan be either the first command or used in between searches. Append a search of the second sourcetype: append search sourcetypeappserver IPADDRESS fields IPADDRESS company Coalesce the IP fields: eval ipcoalesce (CLIENTIP, IPADDRESS) Lastly, count the contexts. Index= INDEX-B sourcetype= SOURCE TYPE B source_address="192.168.1.50" Tunneling | return user_nameĮssentially, I would like to see a new column called user_name with the user name data all in one search even though they are two different indexes and sourcetypes.Comparing OR, Append, Multisearch, and Union The second syntax has VPN data coming into Splunk and returns user name data for a corresponding IP address: Index= INDEX-A policy_name="Policy-A" sourcetype= SOURCE TYPE A action=DROP threat_severity=CRITICAL (source_address=192.168.1* OR source_address=192.168.2* OR source_address=192.168.3* OR source_address=192.168.4*) | stats count, values(source_zone_name) as Source_Zone, values(destination_address) as Destination_Address, values(destination_port) as Destination_Port, values(attack_name) as Attack_Name, values(threat_severity) as Threat_Severity by source_address | sort -count The first syntax has Firewall data coming into Splunk and gives you a table with 7 columns sorted by count: This way I can know what user corresponds to a given IP address (this is all historical data by the way). I'm scratching my head trying to find out how to join two different indexes and two different sourcetypes together and would like to extract the user_name field data from sourcetype B into sourcetype A's table.
0 Comments
Read More
Leave a Reply. |