How to combine information from 2 different source...

silviuchiric76 · ‎01-29-2020

Dear all

I have 2 data sources: logs forwared to the server as :
sourcetype=eea:loghandler
and lookup definition file as users_with_email

file
called users_with_email.csv

I have a key field in both sources the same:
in sourcetype=eea:loghandler is called user with values like firstname.lastname@domain.com
and in lookup definition file I have email field, same value firstname.lastname@domain.com
and this is the case for all users

I need to get an aggregated reports of users from

sourcetype=eea:loghandler by joining the department field from lookup definition file users_with_email(users_with_email.csv)

When I try to make an OR:
sourcetype=eea:loghandler OR inputlookup users_with_email
got no results

gcusello · ‎01-30-2020

Hi @silviuchiric76,
you should try something like this:

sourcetype=eea:loghandler
| lookup users_with_email.csv email AS user OUTPUT department
| dedup user
| sort user
| table user department

A little hint: use always index in your searches to have faster results!

Ciao.
Giuseppe

silviuchiric76 · ‎01-29-2020

I am interested for an inner join after email.users_with_email = eea:loghandler.user

How to combine information from 2 different sources like sourcetype=eea:loghandler and lookup file

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms