I was able to combine both the source types but hadn't been successful in appending the column values from the second source, basically I tried eval (if condition match), append cols etc. Basically I am displaying a table to show all the necessary fields from the first source type and just append a column with values from the second source type (based on the matching condition - locomotive number). Sourcetype 1 : ITCM (trace log files) and for a given Locomotive number, go and find the events from Second source type and retrieve some info (example district name) and append to the column of the first. Sourcetype 1 : ITCM (trace log files) and for a given Locomotive number, go and find the events from Second source type and retrieve some info (example district name) and append to the column of the first. results: indexbotsv1 sourcetypewineventlog table time, action, host. I have a requirement to combine values from both. We will look at dedup, join, and sort in the following sections. Here is the syntax for configuring the nf file to assign source types. If you use Splunk Enterprise, you configure this in either Splunk Web or in the nf configuration file. Multiple sourcetypes combine datasets similar to concept Index-to-Match SourceA has fields (IDa, name, date, trimmedname, env, etc.) SourceB has fields (ID. If you use Splunk Cloud Platform, you configure this in Splunk Web. I am working on an issue where we are bringing Crowdstrike data where they are just dumping data into S3 bucket. If the Splunk platform finds an explicit source type for the data input, it stops here. Index= INDEX-B sourcetype= SOURCE TYPE B source_address="192.168.1.50" Tunneling | return user_nameĮssentially, I would like to see a new column called user_name with the user name data all in one search even though they are two different indexes and sourcetypes.I have 2 source types, one being XML and other being a trace log file events. Looking to see if anyone has any thoughts on trying to bring in different timestamp formats inside of the same sourcetype. Source types also let you categorize your data for easier searching. It tells the platform what kind of data you have, so that it can format the data intelligently during indexing. The second syntax has VPN data coming into Splunk and returns user name data for a corresponding IP address: The source type is one of the default fields that the Splunk platform assigns to all incoming data. You might have to use a where instead of a search, sometimes I flake. Sourcetype 1 : ITCM (trace log files) and for a given Locomotive number, go and find the events from Second source type and retrieve some info (example district name) and append to the column. I have a requirement to combine values from both. Now you can filter down to what you want: search sourcetypeB srccount > 1. All, I have 2 source types, one being XML and other being a trace log file events. This marks all the recorded ip addresses as either existing in just 1 sourcetype, or both. Index= INDEX-A policy_name="Policy-A" sourcetype= SOURCE TYPE A action=DROP threat_severity=CRITICAL (source_address=192.168.1* OR source_address=192.168.2* OR source_address=192.168.3* OR source_address=192.168.4*) | stats count, values(source_zone_name) as Source_Zone, values(destination_address) as Destination_Address, values(destination_port) as Destination_Port, values(attack_name) as Attack_Name, values(threat_severity) as Threat_Severity by source_address | sort -count eventstats distinctcount (sourcetype) as srccount by sourceip. The first syntax has Firewall data coming into Splunk and gives you a table with 7 columns sorted by count: This way I can know what user corresponds to a given IP address (this is all historical data by the way). I'm scratching my head trying to find out how to join two different indexes and two different sourcetypes together and would like to extract the user_name field data from sourcetype B into sourcetype A's table. Splunk SourcetypesYou can create new source types on the Splunk platform in several ways: Use the Set Source Type page in Splunk Web as part of adding the.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |