topic Substituting host and source data in Splunk Search https://community.splunk.com/t5/Splunk-Search/Substituting-host-and-source-data/m-p/562103#M195488 <P>Hello - I am using the following two searches:<BR /><BR />The first search is creating a table consisting of _time, idx, and b.&nbsp; There are two other fields available, s for source and h for host.&nbsp; However, we squash this information for performance reasons.<BR /><BR />index=_internal sourcetype=splunkd type=Usage source=*license_usage.log<BR />| table _time idx b<BR />| rename idx as index, b as bytes<BR /><BR />I have been trying to figure out a way to substitute the s &amp; h data in the events by using a join, append, or appendcols using:<BR /><BR />| tstats count WHERE index=* sourcetype=* source=* unit_id=* by index, sourcetype, source, host, dept<BR />| table index, sourcetype, source,&nbsp; host, dept</P><DIV><DIV>Join Example:<BR /><BR />| tstats count WHERE sourcetype=* source=* host=* unit_id=* by index sourcetype source host dept<BR />| table index sourcetype source host dept<BR />| join type=inner index<BR />[ search index=_internal sourcetype=splunkd type=Usage source="/opt/splunk/var/log/splunk/license_usage.log"<BR />| table _time idx b<BR />| rename idx as index, b as bytes]<BR /><BR />Append Example:<BR /><BR />| tstats count WHERE sourcetype=* source=* host=* unit_id=* by index sourcetype source host dept<BR />| table index sourcetype source host dept<BR />| append<BR />[ search index=_internal sourcetype=splunkd type=Usage source="/opt/splunk/var/log/splunk/license_usage.log"<BR />| table _time idx b<BR />| rename idx as index, b as bytes]<BR /><BR /><BR />AppendCols Example:<BR /><BR />| tstats count WHERE sourcetype=* source=* host=* unit_id=* by index sourcetype source host dept<BR />| table index sourcetype source host dept<BR />| appendcols<BR />[ search index=_internal sourcetype=splunkd type=Usage source="/opt/splunk/var/log/splunk/license_usage.log"<BR />| table _time idx b<BR />| rename idx as index, b as bytes]<BR /><BR /><BR />Results:<BR /><BR />join: just fails with no data<BR />append: the _time and bytes fields are blank<BR />appendcols: leaves out the _time field - which I need to create timecharts with.<BR /><BR /></DIV><DIV>The end result should look like this:<BR /><BR />_time&nbsp; index&nbsp; &nbsp;sourcetype&nbsp; &nbsp;source&nbsp; &nbsp;host&nbsp; &nbsp;dept&nbsp; &nbsp;bytes<BR /><BR />where _time, index, bytes comes from the _internal logs<BR />where index, sourcetype, source, host, dept comes from the | tstats logs<BR /><BR />Any help is greatly appreciated.&nbsp; Thank you.</DIV></DIV> Wed, 04 Aug 2021 15:23:43 GMT jason_hotchkiss 2021-08-04T15:23:43Z Substituting host and source data https://community.splunk.com/t5/Splunk-Search/Substituting-host-and-source-data/m-p/562103#M195488 <P>Hello - I am using the following two searches:<BR /><BR />The first search is creating a table consisting of _time, idx, and b.&nbsp; There are two other fields available, s for source and h for host.&nbsp; However, we squash this information for performance reasons.<BR /><BR />index=_internal sourcetype=splunkd type=Usage source=*license_usage.log<BR />| table _time idx b<BR />| rename idx as index, b as bytes<BR /><BR />I have been trying to figure out a way to substitute the s &amp; h data in the events by using a join, append, or appendcols using:<BR /><BR />| tstats count WHERE index=* sourcetype=* source=* unit_id=* by index, sourcetype, source, host, dept<BR />| table index, sourcetype, source,&nbsp; host, dept</P><DIV><DIV>Join Example:<BR /><BR />| tstats count WHERE sourcetype=* source=* host=* unit_id=* by index sourcetype source host dept<BR />| table index sourcetype source host dept<BR />| join type=inner index<BR />[ search index=_internal sourcetype=splunkd type=Usage source="/opt/splunk/var/log/splunk/license_usage.log"<BR />| table _time idx b<BR />| rename idx as index, b as bytes]<BR /><BR />Append Example:<BR /><BR />| tstats count WHERE sourcetype=* source=* host=* unit_id=* by index sourcetype source host dept<BR />| table index sourcetype source host dept<BR />| append<BR />[ search index=_internal sourcetype=splunkd type=Usage source="/opt/splunk/var/log/splunk/license_usage.log"<BR />| table _time idx b<BR />| rename idx as index, b as bytes]<BR /><BR /><BR />AppendCols Example:<BR /><BR />| tstats count WHERE sourcetype=* source=* host=* unit_id=* by index sourcetype source host dept<BR />| table index sourcetype source host dept<BR />| appendcols<BR />[ search index=_internal sourcetype=splunkd type=Usage source="/opt/splunk/var/log/splunk/license_usage.log"<BR />| table _time idx b<BR />| rename idx as index, b as bytes]<BR /><BR /><BR />Results:<BR /><BR />join: just fails with no data<BR />append: the _time and bytes fields are blank<BR />appendcols: leaves out the _time field - which I need to create timecharts with.<BR /><BR /></DIV><DIV>The end result should look like this:<BR /><BR />_time&nbsp; index&nbsp; &nbsp;sourcetype&nbsp; &nbsp;source&nbsp; &nbsp;host&nbsp; &nbsp;dept&nbsp; &nbsp;bytes<BR /><BR />where _time, index, bytes comes from the _internal logs<BR />where index, sourcetype, source, host, dept comes from the | tstats logs<BR /><BR />Any help is greatly appreciated.&nbsp; Thank you.</DIV></DIV> Wed, 04 Aug 2021 15:23:43 GMT https://community.splunk.com/t5/Splunk-Search/Substituting-host-and-source-data/m-p/562103#M195488 jason_hotchkiss 2021-08-04T15:23:43Z