I need to do a lookup on search result with data from splunk internal. I have a log which logs when a user login and what PID that user get assigned to such as:
PID: 2938 [DATE]
22: Command [username]
In the same log the actions the user takes during the session is logged with the following format:
PID: 2938 [DATE]
22: Command [custom data]
Now i would like to generate an report using this data and translate the PID to a username using lookup. The result would be a table with Username, PID and Command.
When i search for lookup information i can find that i can do lookups from scripts or CSV files, not from Splunk queries, is it possible to do such query?
You could either use the join or transaction command to combine the metadata of 2 searches.
Or use stats to aggregate the information on a unqiue key:
<search maching both events> | stats first(Command) as Command first(Username) as Username by PID
Another, more complicated option is to write a scripted lookup or a command which can execute searches in Splunk. But I don't think this is necessary.
Thanks i had to modify this a bit as there are more than one Command, so I use
You could either use the join or transaction command to combine the metadata of 2 searches.
Or use stats to aggregate the information on a unqiue key:
<search maching both events> | stats first(Command) as Command first(Username) as Username by PID
Another, more complicated option is to write a scripted lookup or a command which can execute searches in Splunk. But I don't think this is necessary.