How to search multiple login failures in two index...

Kishorebk · ‎12-29-2014

I'm writing a query for multiple login failures, and failures are also seen in exchange logs. I'm finding it difficult to search in two indexes where the fields showing the host are different:

The thing here is, we have a server which is seen ( both in windows and exchange logs , but with different field names ) and when seen in exchange logs, shows the device and command it issued which helps me investigate better. So if i see the server name in exchange index, i need to get the DeviceType and Cmd in my end report with other fields.

Under windows the servers show under "Caller_Computer_Name", and in exchange it shows up as "Host".

Indexes needed: Windows and exchange
Fields needed: Caller_Computer_Name, Account_Domain, ComputerName, timestamp, DeviceType ( field from exchange ), Cmd ( field from exchange)

index="windows_dc"  EventCode="4740"  | convert ctime(_time) as timestamp | stats count values(Caller_Computer_Name) as Caller_computer, values(Account_Domain) as Domain ,values(ComputerName) as ComputerName ,values(timestamp) as timestamp ,  by user | sort - count

Thanks Kishore

MuS · ‎12-29-2014

Hi Kishorebk,

take a look at this answer http://answers.splunk.com/answers/129424/how-to-compare-fields-over-multiple-sourcetypes-without-joi... to get an idea how it can be done.

cheers, MuS

How to search multiple login failures in two indexes where field names for host are different, using if, join or subsearch?

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk