topic Why does search only return partial columns? in Splunk Search

Why does search only return partial columns?

JohnF — Mon, 23 May 2022 17:47:52 GMT

Hello folks,

Been busting my head here.. trying to pull data from multiple sourcetypes which I thought would run like:

Index=test sourcetype=A OR sourcetype=B | search host=* | where <appname> ="value" AND
| table Host, IPAddress, Appname

host is a field in both sourcetypes and IP related info is in B. Just trying to pull out host, it's IP address, and the app in question. What I get is a real long host list (so that's good) with a few IP's and a few apps..

Looking abit like this:

Host | IPAddress |Appname

so on and so forth

seems like any place that shows an ip address refuses to show an appname and vice versa??

Still acts the same. I pulled each part separately so I know the data is good.

Re: Why does search only return partial columns?

richgalloway — Mon, 23 May 2022 18:54:57 GMT

IP addresses and app names are in separate events and the query shown does nothing to put them together so Splunk shows them as separate events.

There are several ways to put the events together. The one I like most is the stats command, not for any stats, but for the grouping feature.

index=test sourcetype=A OR sourcetype=B host=* | where Appname ="value" | stats values(*) as * by host | table host, IPAddress, Appname

Re: Why does search only return partial columns?

PickleRick — Mon, 23 May 2022 19:00:51 GMT

One small remark - host is one of the default fields and is (or at least should be in a properly working Splunk installation) always filled with a value. So searching for host=* seems a bit pointless.

Re: Why does search only return partial columns?

JohnF — Tue, 24 May 2022 11:29:24 GMT

let me make sure I got this correct. So in this situation I can go:

Stats values(IPAddress) AS IP, values(AppName) by host

|table IPAddress, AppName, Host