Re: How would I combine data in Splunk so I can vi...

Chris231289 · ‎02-09-2023

Hi i am new,

I have 2 excel documents, one containing firewall logs and the other containing Sys logs. how would i combine the data in splunk so i can view them on one page

I want to compare when the firewall was used (and its destination IP) to when FTP was used (from syslogs).

Thank you

yuanliu · ‎02-09-2023

This question is very broad, but combining data is at the very foundation of Splunk. So, without specifics, suppose you have a sourcetype firewall (with firewall logs), and another sourcetype syslog (containing syslogs); suppose source IP in firewall logs is named dst_ip, and FTP server's IP is ftp_ip. You didn't specify what combined result you want, so I'll just use a dumb example.

sourcetype IN (firewall, syslog)
| eval ip_of_interest = coalesce(dst_ip, ftp_ip)
| bin span=5m _time
| stats values(sourcetype) as sources by ip_of_interest _time
| where mvcount(sources) > 1

This will give you time periods when dst_ip and ftp_ip appeared in the same 5-minute time window.

Hope this helps

richgalloway · ‎02-10-2023

I'll add to what @yuanliu said by pointing out that Splunk cannot ingest Excel files because they are not text. You would have to save them as CSV files to load them into Splunk.

---
If this reply helps you, Karma would be appreciated.

How would I combine data in Splunk so I can view them on one page?

join

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

Everything Community at .conf24!

Index This | I’m short for "configuration file.” What am I?