Splunk Search

How to generate a search that will correlate users' status in different target systems?

krishnacasso
Path Finder

We get 3 csv files from 3 different target systems T1, T2, T3 with user details. We have users present in all the target systems. We need to display users whose status is not same in target systems. We have unique value in T1 & T2 with different field names field1, field2

and
common value with field name(Uniquenumber) in T2 & T3.
We need correlate 3 target systems csv files and display if the user status is not same.
T1 - Active
T2- NotActive
T3- Active.

Need help to start the search. All the csv files are under same index name and sourcetype with different sourcefiles.

Thanks.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try something like this

index=foo sourcetype=bar (source=*file1.csv OR source=*file2.csv OR source=*file3.csv)
| eval AID=coalesce(ID,ApplicationID)
| eventstats values(unique) as tempUnique by AID
| eval unique=coalesce(unique,tempUnique)
| table unique Accountinformation Status estatus
| stats values(*) as * by unique

krishnacasso
Path Finder

Hi Richgalloway,
Thanks for spending time on this. Please find the details below.

file1.csv
"OU","unique","accountname","Accountinformation"
"sitsai,ou=users,dc=company,dc=com","alpha","sphere","NA"
for Accountinformation field we have A and NA values which mean Active and Not Active.

file2.csv
"OU","unique","ID","Status","AID",
"sitsai,ou=users,dc=company,dc=com","alpha","12563","T","app1",
for status we have T and A values.

file3.csv
"ApplicantionID", "employee","estatus"
"12563","apha","1"
For estatus we have 0 and 16 values. 0 mean active and 1 mean not active.

In file1 and file2 we have unique value alpha with field unique,
In file2 and file3 we have unique value 12563 with field names AID and ApplicationID.

We need to join the csv files and display fields unique, Accountinformation, Status, estatus in a table
when Accountinformation is A, status is T and estatus is 0.

Thanks.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The question is a little too vague. What is the status field called in each source? Are status values consistent among the sources? How is field2 related to Uniquenumber?

---
If this reply helps you, Karma would be appreciated.
0 Karma

somesoni2
SplunkTrust
SplunkTrust

Can you provide the list of fields by sources and their relationship?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...