https://community.splunk.com/t5/Splunk-Search/How-do-you-pull-and-match-data/m-p/388326#M172073 <P>Hey,</P> <P>So the data I am pulling from is from two source types. I indexed bigfix and tried to pull the software information(vendor), and I pulled from bigfix asset to get the (device type). I'm trying to create a dashboard of the installed software by device type.</P> <P>When I enter this: index=bigfix sourcetype=bigfix:software:inventory | table vendor| join [search index=* sourcetype=bigfix:asset|table computer_type ]| stats count by vendor,computer_type </P> <P>The computer type doesn't output correctly.</P> <P>When I enter...</P> <PRE><CODE>index=bigfix (sourcetype="bigfix:software:inventory" OR sourcetype="bigfix:asset") | stats count(product) by computer_type </CODE></PRE> <P>...it shows the computer type correctly, but the vendor count is 0.</P> <P>Maybe because the events, and fields, don't match from both source types. If it's possible to make it work. I would appreciate the help. </P> <P>Thanks!</P> Tue, 29 Sep 2020 23:55:50 GMT laquantat 2020-09-29T23:55:50Z https://community.splunk.com/t5/Splunk-Search/How-do-you-pull-and-match-data/m-p/388326#M172073 <P>Hey,</P> <P>So the data I am pulling from is from two source types. I indexed bigfix and tried to pull the software information(vendor), and I pulled from bigfix asset to get the (device type). I'm trying to create a dashboard of the installed software by device type.</P> <P>When I enter this: index=bigfix sourcetype=bigfix:software:inventory | table vendor| join [search index=* sourcetype=bigfix:asset|table computer_type ]| stats count by vendor,computer_type </P> <P>The computer type doesn't output correctly.</P> <P>When I enter...</P> <PRE><CODE>index=bigfix (sourcetype="bigfix:software:inventory" OR sourcetype="bigfix:asset") | stats count(product) by computer_type </CODE></PRE> <P>...it shows the computer type correctly, but the vendor count is 0.</P> <P>Maybe because the events, and fields, don't match from both source types. If it's possible to make it work. I would appreciate the help. </P> <P>Thanks!</P> Tue, 29 Sep 2020 23:55:50 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-pull-and-match-data/m-p/388326#M172073 laquantat 2020-09-29T23:55:50Z https://community.splunk.com/t5/Splunk-Search/How-do-you-pull-and-match-data/m-p/388327#M172074 <P>Do these sourcetypes have fields that are common between them?</P> <P>Please share an example event from each</P> Tue, 02 Apr 2019 17:24:36 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-pull-and-match-data/m-p/388327#M172074 martinpu 2019-04-02T17:24:36Z https://community.splunk.com/t5/Splunk-Search/How-do-you-pull-and-match-data/m-p/388328#M172075 <P>No they don't have any fields in common.</P> <P>Bigfix:software:inventory<BR /> root_host="-----",comp_id="---",vendor="Google Inc.",product="Google Chrome",version="73.0",valid_from="2019-04-------",used_dt="None",updated_dt="2019-04-----",deleted="False",cpe="cpe:/a:google_inc.:google_chrome:73.0",last_scan_time="Fri, 29 Mar 00000"</P> <P>Bigfix:asset<BR /> computer_type="", mac address"", identifying_number"---",computer_name="", ip_address"", disk drive""</P> Tue, 29 Sep 2020 23:55:53 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-pull-and-match-data/m-p/388328#M172075 laquantat 2020-09-29T23:55:53Z https://community.splunk.com/t5/Splunk-Search/How-do-you-pull-and-match-data/m-p/388329#M172076 <P>If they have any fields that have common values, for e.g. <BR /> comp_id has same value as identifying_number you could join them based on that field.</P> <PRE><CODE>index=bigfix sourcetype=bigfix:software:inventory | table comp_id vendor | join comp_id [ search index=bigfix sourcetype=bigfix:asset | rename identifying_number as comp_id | table comp_id computer_type ] | stats count by comp_id vendor computer_type </CODE></PRE> <P>Basically, if you have a way of connecting a unique computer identifier to a specific event in software inventory then this would be possible to do.</P> Tue, 29 Sep 2020 23:55:58 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-pull-and-match-data/m-p/388329#M172076 martinpu 2020-09-29T23:55:58Z https://community.splunk.com/t5/Splunk-Search/How-do-you-pull-and-match-data/m-p/388330#M172077 <P>Moving comment to answer...</P> <P>If they have any fields that have common values, for e.g. <BR /> comp_id has same value as identifying_number you could join them based on that field.</P> <PRE><CODE> index=bigfix sourcetype=bigfix:software:inventory | table comp_id vendor | join comp_id [ search index=bigfix sourcetype=bigfix:asset | rename identifying_number as comp_id | table comp_id computer_type ] | stats count by comp_id vendor computer_type </CODE></PRE> <P>In essence, if you have a way of connecting a unique computer identifier to a specific event in software inventory then this would be possible to do.</P> <P>Additionally if you do not have an exact 1-1 identifier but have a snippet of an identifier in a field e.g<BR /> computer_id=LNWMP-0012341<BR /> identifying_nubmer=0012341 <BR /> You could extract the number from the ID with the rex command.</P> Tue, 29 Sep 2020 23:56:33 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-pull-and-match-data/m-p/388330#M172077 martinpu 2020-09-29T23:56:33Z