Solved: Pull Different Fields from another Sourcetype

itsmevic · ‎02-28-2020

I'm having to search across two indexes and am looking for a particular string of text, called "sampletext"

Example:
index=sso sourcetype="ping*" "my sampletext here"

Now, I would also like to search the sourecetype=Active Directory for two of its fields as I would like to include Active Directories department and description fields to my query:

Example:
index=msad sourcetype=ActiveDirectory department=* description=*

The problem is it's not pulling the Active Directory fields because I am searching for a particular string of text "sampletext" and it's only pulling back the fields under the sso index.

How do I pull the event data that contains the string text under index=sso AND pull the Active Directory fields, department and description under those events too? Is this possible?

Any help is greatly appreciated!

to4kawa · ‎02-28-2020

index=msad sourcetype=ActiveDirectory department=* description=* [ search index=sso sourcetype="ping*" "my sampletext here" 
| return $fieldname_has_sample_text]

this sub search returns only one event. If there is many events, change return option.

View solution in original post

nickhills · ‎02-29-2020

Am I missing something obvious?
would this not work?

(index=sso sourcetype="ping*") OR (index=msad sourcetype=ActiveDirectory department=* description=*)|search "my sample text"

If my comment helps, please give it a thumbs up!

to4kawa · ‎02-29-2020

Hi, @nickhillscpl
(index=sso sourcetype="ping*") OR (index=msad sourcetype=ActiveDirectory department=* description=*)| "my sample text"
up to here.

itsmevic · ‎03-02-2020

What I ended up doing was [search index=...] within the other index of my search and with a little tweaking and peaking was able to pull the data I needed.

to4kawa · ‎02-28-2020

index=msad sourcetype=ActiveDirectory department=* description=* [ search index=sso sourcetype="ping*" "my sampletext here" 
| return $fieldname_has_sample_text]

this sub search returns only one event. If there is many events, change return option.

itsmevic · ‎02-28-2020

Hi to4kawa, thank you for providing your suggestion. I've adjusted the SPL a little bit and it is now looking at both indexes as well as multiple sourcetypes. I can see in the fields sidebar the fields from both indexes. I know just need to pipe it out into a report. Unfortunately, It will only pipe out "UserName and Workstation", both of which are fields that reside under the index=sso and not the index=msad.

(index="sso" sourcetype="ping*" UserName="" Workstation="" "NTLMSSP principal: DomainName= UserName") OR (index="msad" sourcetype=ActiveDirectory description="*")
| stats count by UserName,Workstation
| sort -count

I see the description and department fields in the fields sidebar but when I try and incorporate them into the |stats command, they aren't appearing.

to4kawa · ‎02-29-2020

I can make queries with only sample logs.
You have explained, but it is assumed that I know the log.
I basically don't know the system and logs outputs.
Does not presenting a log mean that you don't need help from someone who doesn't know the log? Then I'm useless.

Pull Different Fields from another Sourcetype

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!