How to correlate events from different sourcetypes...

shivarpith · ‎12-01-2015

Hi,

We have logs coming into Unix and Windows Webspere. Every logon in Windows generates an event in Unix with the type of security connection used (Ex: Web 3 and secure). The only thing matching in both the logs are index, and the challenge here is the logs in Windows Websphere have a _time of 5 hours ahead from that of Unix. I tried the search below, but no events are showing up.

index=ABC_XYZ UId="*" "Logon" sourcetype="websphere:unix"
| eval First_time = _time 
| join index
[ search index=ABC_XYZ "logon" "*web3qa*" sourcetype="websphere:windows" Target="*"
| eval Error_time = _time]
| where Error_time = First_time+18000
| stats  earliest(First_time) as First_Logon by UId
| fieldformat First_time =strftime(First_time,"%I:%M:%S%p")
| fieldformat Error_time =strftime(Error_time,"%I:%M:%S%p")
| table First_Logon,First_time,Target

If editing the time in search doesn't work, my plan is to change the _time value in props file of the default app for this sourcetype. Please advise on how to do so.

Thanks in advance

sundareshr · ‎12-01-2015

Have you looked at the map command?

http://docs.splunk.com/Documentation/Splunk/6.0/SearchReference/map

shivarpith · ‎12-01-2015

can you please eloberate or edit my search query? and like i said i dont have any matching field to map from.. the log from unix just shows the type of connection used and windows shows the userid. As we know that they have a time difference of 5 hours we can manually see the connection between two logs. how do i match the events based on _time and _time+18000?

Please advise

sundareshr · ‎12-01-2015

Share some sample data from both logs.

How to correlate events from different sourcetypes from different timezones and no matching fields

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk