Re: How to compare a field from one sourcetype wit...

Zerophage · ‎11-10-2017

Hello,

Hoping someone can help, I'm new to Splunk.

Lets say I have the following source types:
"event_alert" - contains an event with a username
"user_info" - contains information about users

Is there a way I can run a search which returns "event_alert" but with extra fields that are matched from "user_info". So I'm looking into "user_info" for a user name and if it exists, it then returns business unit, etc.

I thought of using eval but I cannot figure out how to reference fields from different sourcetypes something like the below doesn't work:

eval unit = if ("event_alert.user" == "user_info.username",business_unit,"unknown")

Hope my question makes sense, let me know if i can elaborate.

koshyk · ‎11-10-2017

hi, the efficient way to do this is (Assuming user and username are NOT present in the same sourcetype)

index=* (sourcetype=event_alert OR sourcetype=user_info) | eval unit = if (user == username,business_unit,"unknown") | stats count by unit

====

# Real life example would be
index=_internal (sourcetype=splunkd OR sourcetype=splunkd_access) |  eval unit=if(service_maxSizes==roll_hotBkt ,"hit","miss")| stats count by unit

How to compare a field from one sourcetype with another sourcetype then return the result in a new field?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases