Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to group various logs from different indexes with different field names, but same values?

DEAD_BEEF
Builder
‎02-10-2016 11:10 AM

I am trying to group three sets of indexes' logs when all three have the same source and destination IP address within a minute of each other. My initial thought was to use transaction, but ran into a problem because the source IP in index-A is called 'dvc_ip'. Is there a way to have transaction see the dvc_ip value of Index-A and match that with src_ip value of Index B & C?

Ultimately, I'd like to join these logs together to then create a table (username, host_ip, src_ip, dest_ip, website, category, referrer).

Log Field Setup

Index-A    host_ip     dvc_ip    dest_ip    
Index-B                src_ip    dest_ip    website    referrer
Index-C                src_ip    dest_ip    website    category    username

// dvc_ip and src_ip are the same value, just named differently.  Indices B/C do not have the host_ip.

Sample Data

Index-A    192.168.0.100     1.2.3.4    4.4.4.4    
Index-B                      1.2.3.4    4.4.4.4    amazon.com    google.com
Index-C                      1.2.3.4    4.4.4.4    amazon.com    shopping    jsmith
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

javiergn
Super Champion
‎02-10-2016 11:32 AM

Why don't you use an alias to name your source ip with the same name across all your three indexes?
Something like:

index=Index-A OR index=Index-B OR index=Index-C
| eval source_ip = coalesce(dvc_ip, src_ip)
| transaction source_ip, dest_ip BLA BLA BLA

By the way, transaction might not be accurate enough for what you are trying to achieve unless you can easily specify your startWith event and your endWith event.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

javiergn
Super Champion
‎02-10-2016 11:32 AM

Why don't you use an alias to name your source ip with the same name across all your three indexes?
Something like:

index=Index-A OR index=Index-B OR index=Index-C
| eval source_ip = coalesce(dvc_ip, src_ip)
| transaction source_ip, dest_ip BLA BLA BLA

By the way, transaction might not be accurate enough for what you are trying to achieve unless you can easily specify your startWith event and your endWith event.

0 Karma
Reply
Solved! Jump to solution

DEAD_BEEF
Builder
‎02-10-2016 11:43 AM

I did not know about using an alias. The time between the three logs are all within a 1-minute span. Trying alias now.

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...