Quantcast
Channel: Questions in topic: "splunk-enterprise"
Viewing all articles
Browse latest Browse all 47296

Help with writing a join command that joins a security breach to the previous login

$
0
0
This is the requirement. I need to join two events based on a common field “User”. The Event with EventType “Security Breach” should be joined with Eventtype “Login”. The condition is User1 who have a “Security Breach” at 10:55 AM should be joined to the login at 10:54 AM, not with the login at 10:57 AM and login at 10:49 AM. Similarly the User1 who have a “Security Breach” Event at 10:50 AM should be joined to Login event at 10:49AM, not with 10:54 AM. Hope this clarifies. _time User EventType 10:55 AM User1 Security Breach 10:53 AM User2 Security Breach 10:50 AM User1 Security Breach 10:48 AM User1 Security Breach _time User EventType 10:57 AM User1 Login 10:55 AM User2 Login 10:54 AM User1 Login 10:53 AM User2 Login 10:49 AM User1 Login Any one can help me in Writing query for this. I tried using join with earlier=true option. But that doesnt give me the right result.

Viewing all articles
Browse latest Browse all 47296

Trending Articles



<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>