Splunk Search

How to search for events from sourcetype1 and check for occurrences of the same events in sourcetype2?

ivanlesk
Engager

Hi,

I have first sourcetype=st1 with information about changes on users. I want to get a particular set of users (their last changes) with:

index=A sourcetype="st1" COLUMN="SOMETHING" | table  col1 col2 col3 col4

in sourcetype="st2" I have columns col1 col2 col3 col4 col5. Columns col1 col2 col3 col4 are "key" to finding specific users (both in st1 and st2).

I want to create an alert (either realtime or cron based) that will get a subset (list of col1 col2 col3 col4 ) from first sourcetype, and then alert when in second sourcetype happens alert that has "col1 col2 col3 col4" combination that exist in subset form first search

e.g.

st1
 col1 col2 col3 col4
  0    0    0    1
  5    9    3    6
  2    9    19   0

st2
 col1 col2 col3 col4
  0    0    0    2
  0    0    0    2
  0    0    0    2
  0    0    0    2
  0    0    0    1
  5    9    3    6

Alert would be sent when 0 0 0 1 and 5 9 3 6 occurred in st2 sourcetype.

What is the best approach to this problem (performance wise) and how to "join" those two searches?

Subset from first sourcetype can have a few thousand events and more than a year between first and last events.

0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Try something like this

index=A sourcetype="st2"  [search index=A sourcetype="st1" COLUMN="SOMETHING" | table  col1 col2 col3 col4]  | table col1 col2 col3 col4 col5

Set alert condition when number of result of above search is greater than 0

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

Try something like this

index=A sourcetype="st2"  [search index=A sourcetype="st1" COLUMN="SOMETHING" | table  col1 col2 col3 col4]  | table col1 col2 col3 col4 col5

Set alert condition when number of result of above search is greater than 0

ivanlesk
Engager

This helped alot. I've expanded your search with join.

thx

0 Karma

lpolo
Motivator

Do both log source types use the same log format?

Thanks,
Lp

0 Karma

ivanlesk
Engager

nope, they are genreated form different services, they just have sam "key" in form of 4 columns

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...