So basically you will need to (and sorry if there is some repetition to what you have done, question is a little unclear) is...
Extract the fields for each sourcetype, with the easiest way being the IFX (Interactive Field eXtractor), alternatively using conf files.
Search those sourcetypes and you should have that field available in your Field Discovery panel (on the left). e.g....
(Soucetype=NetSweep_log OR sourcetype=Radius_log) | top FramedIP
Shoule be simple enough.
Hope this helps, if it doesn't please explain a little more
MHibbin
So basically you will need to (and sorry if there is some repetition to what you have done, question is a little unclear) is...
Extract the fields for each sourcetype, with the easiest way being the IFX (Interactive Field eXtractor), alternatively using conf files.
Search those sourcetypes and you should have that field available in your Field Discovery panel (on the left). e.g....
(Soucetype=NetSweep_log OR sourcetype=Radius_log) | top FramedIP
Shoule be simple enough.
Hope this helps, if it doesn't please explain a little more
MHibbin
I tried this command, but it returns "0 matching events".
The logic seems to be correct though.
Is there any syntax we are missing?
If this answers your question please mark it as accepted (with the tick next to the answer), and if you are feeling generous you can also up-vote it. Thanks 🙂
So you want to use the values from the FramedIP field from the NetSweep_Log and use it search in the Radius Logs?
In that case you will need to use the subsearch feature, this will involve:
sourcetype=NetSweep_Log | top FramedIP
)sourcetype=Radius_log [search sourcetype=NetSweep_Log | top FramedIP | fields + FramedIP]
) I'm assuming this is what you after. You should read docs here... http://docs.splunk.com/Documentation/Splunk/4.3.3/User/HowSubsearchesWork
I guess this shows all the FramedIP from both the sourcetype.
But what i really need is All the data available in NetSweep_Log for FramedIP present in Radius_log.
I am new to Splunk. Sorry if its a stupid question.
Thanks!!