Searching in multiple indexes

willadams — Wed, 30 Sep 2020 02:20:19 GMT

I am trying to create a search to do the following:

1) Look in a table where information is tagged in a certain way
2) Using the results of this search, search another index for a piece of data
3) Using the results of the original search, search another index for another piece of data

So my scenario is I have a list of important assets. This can be seen as

index=assets source=import_assets.csv <== the value I am interested in here is the host name, so we will call the field "nt_host". So example results

SRV1
SRV2
SRV5

I have another index that contains information about that asset. This information may be a list of apps installed. This can be seen as

index=software <== this has a specific field value that I would like to check. This field may be "app_name" which contains a list of different apps. If I just ran this search, the results may be

server_name=SRV1
app_name=Flash
app_name=SUF
app_name=agentx

server_name=SRV2
app_name=Flash
app_name=SUF
app_name=agentx

server_name=SRV3
app_name=Flash
app_name=SUF
app_name=agentx

server_name=SRV4
app_name=Flash
app_name=SUF
app_name=agentx

server_name=SRV5
app_name=Flash
app_name=agentx

My objective here is to create a table that shows my "important assets" have an application installed. So my table would show "the server name", and whether the app is installed or not (this would use an eval and if match to determine a "yes" or "no". So illustrating this

[Server Name] | [App Name] | [App Name2]

SRV1 | Yes | No
SRV2 | Yes | Yes
SRV5 | No | Yes

I have attempted the following searches but I end up with no results or a parsing job that goes forever

index=assets source=import_assets.csv | join type = inner max=0 nt_host [search index=software | rename server_name AS nt_host]

index=assets source=import_assets.csv | join type = inner max=0 nt_host [search index=software | rename server_name AS nt_host | fields nt_host]

index=assets source=import_assets.csv | where [search index=software | rename server_name AS nt_host | fields nt_host]

I also attempted to constrain the search by specifying a host in the first index search but this didn't end up with a result

index=assets source=import_assets.csv nt_host=SRV5 | join type = inner max=0 nt_host [search index=software | rename server_name AS nt_host]

Re: Searching in multiple indexes

gcusello — Tue, 26 Nov 2019 14:11:10 GMT

Hi @willadams,
try something like this:

index=software OR (index=assets source=import_assets.csv)
| rename nt_host AS server_name
| stats count BY server_name app_name
| eval status=if(count=0,"No","Yes")
| xyseries server_name app_name status
| fillnull value="No"

I cannot check your search, but this example is ok:

index=wineventlog | stats count BY EventCode Dominio_account
| eval status=if(count=0,"No","Yes")
| xyseries EventCode Dominio_account status
| fillnull value="No"

Ciao.
Giuseppe

Re: Searching in multiple indexes

woodcock — Tue, 26 Nov 2019 23:33:25 GMT

Like this:

index="software" AND [ search index="assets" AND source="import_assets.csv"
| stats count by nt_host
| table nt_host
| rename nt_host AS server_name ]
| chart limit=0 count BY server_name app_name
| replace 0 WITH "NO", 1 with "YES"

topic Re: Searching in multiple indexes in Splunk Search

Searching in multiple indexes

Re: Searching in multiple indexes

Re: Searching in multiple indexes