I am using the OneLogin app in our Splunk environment and it is doing a great job with the default searches and some custom ones I have built. However, I want to do more fancy footwork and I'm having trouble getting the syntax right.
I want to search the sourcetype:user events to determine each user's role in OneLogin, and then use that output against the "onelogin success to app" event type searching for one particular app to get a chart of the role to app login count. This does require doing a search and a subsearch, or using a join, as the searches are for 2 different sourcetypes/eventtypes. I am trying to use examples from the Splunk help pages but I am having zero luck.
Is anyone using Splunk for their OneLogin events and can someone help with this, maybe offline? Thank you!
Please sign in to leave a comment.