Background:
My windows AD users are in index "windersAD". All of their web traffic is logged in index "wsa".
I would like to have a table with the timestamp, userID, source_IP, the URL, and the Web Category.
So far I have started with this:
index="winders" [ search index="wsa" eventtype=cisco-wsa-squid usage="Violation" x_webcat_code_full="Online Storage*" | fields src, cs_url | dedup src ] | table _time, user, src, cs_url, x_webcat_code_full | dedup src
What I get is "No results found". I don't think that I am passing the user filed values correctly. Please help!
Thanks in advance!
Is there a common field between events windersAD
index and wsa
index to corelate the web logs with users? I assume wsa
does not have user id
? If there is you could try something like this
index=wsa [search index=windersAD | stats count by <common_field>>| table <<common_field>> ] table _time userid src .....
Here is some good online documentation on sub-searches that you may find helpful for what you are trying to accomplish.
The only common field between the two indexes is the source IP field. The user ID field in in the WindersAD index and all of the other fields are in the wsa index. Thats the trouble I am having. Is how do I use the src IP and pull the user ID from one index (windersAD), and all of the other fields from the other (wsa) index?
Did you try
index=wsa [search index=windersAD | stats count by src_ip | table src_ip ] table _time userid src .....
The field name that has the source IP has to be the same in both indexes for the above to work. If they are not, you can rename src_ip
to whatever is the name in the wsa
index