topic Re: Merge two searches that use two different sourcetypes? in Splunk Search

Merge two searches that use two different sourcetypes?

bewald_cfi — Tue, 29 Sep 2020 23:37:27 GMT

I have two searches from two different sourcetypes. Search #1 is currently in a dashboard with a dropdown selection. I would like to merge both searches into one and still utilize the dropdown selection. Is this possible?

Search #2
sourcetype=scans
| rename dest_ip TO dns
| search severity_id>0
| stats count AS plugin_Count BY dns, signature_id, severity_id
| search plugin_Count>1
| lookup computers.csv ip AS dns OUTPUT nt_host AS hostname, owner AS sysadmin
| sort severity_id, sysadmin, hostname
| table sysadmin, hostname, dns, signature_id, severity_id, plugin_Count

Re: Merge two searches that use two different sourcetypes?

richgalloway — Tue, 12 Mar 2019 21:06:50 GMT

What do you want the combined search to generate as output?

Re: Merge two searches that use two different sourcetypes?

bewald_cfi — Tue, 29 Sep 2020 23:37:30 GMT

Rich - I would like the results to be: _time, owner, dns, Risk, Name, signature_id, severity_id, plugin_Count, Solution, "See Also". Then from the dashboard the sysadmin can select the owner and sort just on their asset findings.