Solved: Merging Results from 3 Searches

welkinson · ‎11-22-2011

Hi I have 3 searches from 3 different device, I would like to have 1 report which contains data from the the 3 devices into 1 line. I am tracking a user who plugs his pc to a switch which in turn asks the DHCP server to assign an IP address to him a role will then be assigned to him by an app server. I want to match the MAC address from logs of the switch to the Mac address from the logs in the DHCP then match the IP address from the DHCP logs to the IP Adress in the App server log. Is this possible? Thanks in advance!

Switch: Switch MAC Address & Local Port

DHCP: MAC Address & IP Address

App Server: IP Address & Role

Report will have :

MAC Address IP Address Role in 1 Line

Edit:
Here are the three searches:

host="10.21.10.23" | rex field=_raw "for client (..[)] on Interface [ ]" | eval switch_mac=switch_mac1.switch_mac2.switch_mac3 | stats count by switch_mac IPort

(host="10.21.10.8" OR host="10.21.10.7") "10.21.23" | rex field=_raw "IP address (?.) is assigned to (?.)[.] ([)]" | stats count by Mac_adr, IPadr

(host="10.21.10.3" OR host="10.21.10.4") "10.21.23" | rex field=_raw " on host (?.) changed from <(?.)> to <(?.*)>" | stats count by clientpc, FromRole, ToRole

Thank You

eelisio2 · ‎11-25-2011

Assuming clientpc is an IPAddress, I would try the append command to gather the events from your 3 searches and then pipe to the transaction command to correlate. In order for the transaction command to correlate based on field names, you need to change "clientpc" to "IPadr" and also change "switch_mac" to "Mac_adr". (Make sure the spelling of the Ip address and Mac address fields match.) Include your 3 searches (without the stats commands) in the framework below:

"Your first search"

| append
[search "Your second search"]

| append
[search "Your third search"]

| transaction Mac_adr IPadr

View solution in original post

eelisio2 · ‎11-25-2011

Assuming clientpc is an IPAddress, I would try the append command to gather the events from your 3 searches and then pipe to the transaction command to correlate. In order for the transaction command to correlate based on field names, you need to change "clientpc" to "IPadr" and also change "switch_mac" to "Mac_adr". (Make sure the spelling of the Ip address and Mac address fields match.) Include your 3 searches (without the stats commands) in the framework below:

"Your first search"

| append
[search "Your second search"]

| append
[search "Your third search"]

| transaction Mac_adr IPadr

welkinson · ‎11-28-2011

Yes,

Finally got it. Many many thanks!

eelisio2 · ‎11-23-2011

Assuming you have the appropriate fields extracted, you should be able to use the transaction command:

sourcetype=Switch OR sourcetype=DHCP OR sourcetype=Appsvr | transaction MacAddress IPAddress | table MacAddress IPAddress Role

eelisio2 · ‎11-24-2011

Your searches results depend on having certain fields (MacAddress, IPAddress, Role). Fields can be automatically extracted by Splunk at search time based on key-value pairs in the logs events. Or they can be extracted explicitly by editing props.conf (and transforms.conf if necessary).

welkinson · ‎11-24-2011

Hi Thanks for your answer, what do you mean by appropriate fields extracted. Thanks!

Merging Results from 3 Searches

Observability | Use Synthetic Monitoring for Website Metadata Verification

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!