Hi,
We have logs coming into Unix and Windows Webspere. Every logon in Windows generates an event in Unix with the type of security connection used (Ex: Web 3 and secure). The only thing matching in both the logs are index, and the challenge here is the logs in Windows Websphere have a _time of 5 hours ahead from that of Unix. I tried the search below, but no events are showing up.
index=ABC_XYZ UId="*" "Logon" sourcetype="websphere:unix"
| eval First_time = _time
| join index
[ search index=ABC_XYZ "logon" "*web3qa*" sourcetype="websphere:windows" Target="*"
| eval Error_time = _time]
| where Error_time = First_time+18000
| stats earliest(First_time) as First_Logon by UId
| fieldformat First_time =strftime(First_time,"%I:%M:%S%p")
| fieldformat Error_time =strftime(Error_time,"%I:%M:%S%p")
| table First_Logon,First_time,Target
If editing the time in search doesn't work, my plan is to change the _time value in props file of the default app for this sourcetype. Please advise on how to do so.
Thanks in advance
Have you looked at the map
command?
http://docs.splunk.com/Documentation/Splunk/6.0/SearchReference/map
can you please eloberate or edit my search query? and like i said i dont have any matching field to map from.. the log from unix just shows the type of connection used and windows shows the userid. As we know that they have a time difference of 5 hours we can manually see the connection between two logs. how do i match the events based on _time and _time+18000?
Please advise
Share some sample data from both logs.