Solved: Can you help me find matching fields from 2 out of...

Task1906 · ‎09-20-2018

Hello, I hope someone can help.

I am attempting to do a subsearch that I am having difficulty with and hope someone here can assist.

I would like any fields in SourceB or SourceC that match SourceA, to be returned

but now, I need it to be interpreded more like this:
SourceA field1 (SourceB field1 or SourceC field1)

kamlesh_vaghela · ‎09-23-2018

@Task1906

If you want to filter events from SourceA on the basis of field1 value from SourceB and SourceC then try this.

Thanks

View solution in original post

Task1906 · ‎09-23-2018

kamlesh_vaghela, thanks for the input, thanks to you I have it working. But SourceA is not needed where it is. #2 SourceC is listed twice, and the 2nd time should be SourceA if it is removed from the beginning.
The working command looks like this:
[ search SourceB | dedup field1
| fields field1]
OR
[ search SourceB | dedup field1 | fields field1]
| join field1
[ search SourceA | dedup field1 | fields field1]
| table field1 | dedup field1

kamlesh_vaghela · ‎09-23-2018

@Task1906

If you want to filter events from SourceA on the basis of field1 value from SourceB and SourceC then try this.

Thanks

Vijeta · ‎09-21-2018

you can use an inner join between source B/C and source A on field that needs to be matched.

Can you help me find matching fields from 2 out of 3 sources?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases