Mighty Splunk people... I'm having a problem getting my data further refined-- I've got source A that shows me a hostname and a MAC address (basically DHCP logs) and source B that indicates the network segment joined, which unfortunately only contains the MAC address. I need to be able to correlate the two sources, but only when there's a match (against a subset of source B, which I already have.) I want to disregard the other data and getting just the correlated data is the problem.
Here's a sanitized set of my source records:
Sep 21 16:52:45 sourceA dhcpd: DHCPREQUEST for 192.168.0.10 from aa:aa:aa:aa:aa:aa (homer)
Sep 21 16:52:24 sourceA dhcpd: DHCPREQUEST for 192.168.0.11 from bb:bb:bb:bb:bb:bb (marge)
Sep 21 16:52:22 sourceB syslog: eventd_to_syslog():User[bb:bb:bb:bb:bb:bb] joins specific_network
Sep 21 16:52:20 sourceA dhcpd: DHCPREQUEST for 192.168.0.12 from cc:cc:cc:c:cc: (bart)
So in this case there's no accompanying sourceB entry for homer or bart. How can I filter so that the only remaining data is the one that's correlated?
I want to be able to eventually take this to a table with an output something like this:
timestamp hostname
Sep 1 16:52:22 marge
(without homer or bart.)
Right now I'm doing basically the following:
(host=SourceA) OR ("specific_network") | eval macaddress=coalesce(sourceA_mac,sourceB_mac) | table computername macaddress
In this case the key field, macaddress is showing in the table as null, although in specific fields, I can see where it is applied in the detail view.
Expanding it out to
(host=SourceA) OR ("specific_network") | eval macaddress=coalesce(sourceA_mac,sourceB_mac) | table computername macaddress sourceA_mac sourceB_mac
Then i can see that the fields aren't keying off the matching MAC address. I get separate lines, homer marge and bart included. I'd really rather treat this data as if both sources were combined if and only if there were a match, but it doesn't seem like a join is the right answer.
Help?
... View more