https://community.splunk.com/t5/Getting-Data-In/I-have-a-common-field-name-for-different-sources-How-do-I-view/m-p/270582#M51941 <P>I have common signature fields for both devices (Palo Alto and McAfee IPS) in the results. I just want to see the results from McAfee IPS signature filed.</P> <P>Please advise.</P> Mon, 24 Oct 2016 15:47:55 GMT rashid47010 2016-10-24T15:47:55Z https://community.splunk.com/t5/Getting-Data-In/I-have-a-common-field-name-for-different-sources-How-do-I-view/m-p/270582#M51941 <P>I have common signature fields for both devices (Palo Alto and McAfee IPS) in the results. I just want to see the results from McAfee IPS signature filed.</P> <P>Please advise.</P> Mon, 24 Oct 2016 15:47:55 GMT https://community.splunk.com/t5/Getting-Data-In/I-have-a-common-field-name-for-different-sources-How-do-I-view/m-p/270582#M51941 rashid47010 2016-10-24T15:47:55Z https://community.splunk.com/t5/Getting-Data-In/I-have-a-common-field-name-for-different-sources-How-do-I-view/m-p/270583#M51942 <P>Both logs should have different sourcetype, so add mcafee IP specific sourcetype in your search (you can see the available sourcetypes of left field sidebar when you run the search).</P> Mon, 24 Oct 2016 15:50:17 GMT https://community.splunk.com/t5/Getting-Data-In/I-have-a-common-field-name-for-different-sources-How-do-I-view/m-p/270583#M51942 somesoni2 2016-10-24T15:50:17Z https://community.splunk.com/t5/Getting-Data-In/I-have-a-common-field-name-for-different-sources-How-do-I-view/m-p/270584#M51943 <P>thanks for quick reply, below is my query: </P> <P>index=paloalto_pa OR index=mcafee_ips src="2xx.xx.x.x1" | transaction src | stats count as "TOTAL_ATTEMPTS",values(dest) as DESTINATION,values(dest_translated_ip) as NATED_IP,values(threat_name),values(signature) by src</P> <P>for paloalto and mcafee IPS i have common signature field. For paloalto the thread_name(paloalto) gives me more value instead showing signature. <BR /> now for mcafee IPS there is only signature field which is OK for me. now the results showing only signature field from paloalto not from mcafee IPS</P> Tue, 29 Sep 2020 11:32:14 GMT https://community.splunk.com/t5/Getting-Data-In/I-have-a-common-field-name-for-different-sources-How-do-I-view/m-p/270584#M51943 rashid47010 2020-09-29T11:32:14Z https://community.splunk.com/t5/Getting-Data-In/I-have-a-common-field-name-for-different-sources-How-do-I-view/m-p/270585#M51944 <P>Use<BR /> index=your_index sourcetype=ips | ...<BR /> Bye.<BR /> Giuseppe </P> Mon, 24 Oct 2016 16:09:34 GMT https://community.splunk.com/t5/Getting-Data-In/I-have-a-common-field-name-for-different-sources-How-do-I-view/m-p/270585#M51944 gcusello 2016-10-24T16:09:34Z https://community.splunk.com/t5/Getting-Data-In/I-have-a-common-field-name-for-different-sources-How-do-I-view/m-p/270586#M51945 <P>I got my required results.<BR /> at this stage two things in my mind. </P> <P>1- for singature filed it shows me the signature values from both index/sourcetypes. I want to see the signature from only mcafee IPS</P> <P>2- how can I show the result where as both devices have different field name for result </P> Mon, 24 Oct 2016 16:17:56 GMT https://community.splunk.com/t5/Getting-Data-In/I-have-a-common-field-name-for-different-sources-How-do-I-view/m-p/270586#M51945 rashid47010 2016-10-24T16:17:56Z https://community.splunk.com/t5/Getting-Data-In/I-have-a-common-field-name-for-different-sources-How-do-I-view/m-p/270587#M51946 <P>@rashid47010 - Just to clarify: Did cusello's suggestion of using <CODE>index=your_index sourcetype=ips | ...</CODE> help get the "required results" to answer your question? </P> Fri, 02 Dec 2016 03:46:15 GMT https://community.splunk.com/t5/Getting-Data-In/I-have-a-common-field-name-for-different-sources-How-do-I-view/m-p/270587#M51946 aaraneta_splunk 2016-12-02T03:46:15Z