https://community.splunk.com/t5/Splunk-Search/How-to-combine-the-outputs-of-two-searches-and-display-them-in-a/m-p/199091#M57638 <P>Hi lguinn,</P> <P>Wow, that worked amazingly!</P> <P>However, I haven't thought that it would be that (let's say ) advanced, using streamstats and staff. I'll keep that script though in my one-note to be processed for future queries.</P> <P>One more question though, how to eliminate 2 lines as you say? I am attempting to keep only dest_ip, critical and high fields but it doesn't work.</P> <P>Regards,<BR /> Evang</P> Tue, 02 Sep 2014 11:45:28 GMT evang_26 2014-09-02T11:45:28Z https://community.splunk.com/t5/Splunk-Search/How-to-combine-the-outputs-of-two-searches-and-display-them-in-a/m-p/199089#M57636 <P>Hi users,</P> <P>I am trying to combine the outputs of two different searches and stack them in a chart.</P> <P>The idea is to find the most popular IPs in my network based on vulnerability severity high OR critical, and then chart each popular IP with its respective number of vulns (high OR critical).</P> <P>Here is how I started dealing with this:</P> <PRE><CODE>sourcetype=nessus severity=high OR severity=critical earliest=-30d@mon latest=now| top 5 severity,dest_ip|chart sum(count) by dest_ip,severity </CODE></PRE> <P>However, the above lists only IPs with severity==high because there are more high vulns for all of the IPs.</P> <P>Bearing the above in mind, and hoping that I can still list the most popular IPs (total of high + critical vulns for each IP), I thought combining searches, that is have one to find the most popular IPs (high + critical) and then somehow instruct the other search to take from the listed previously IPs and list how many critical vulns. Below is the attempt:</P> <PRE><CODE>|set union [search sourcetype=nessus severity=high OR severity=critical earliest=-30d@mon latest=now| top 5 severity,dest_ip|chart sum(count) by dest_ip,severity] [search sourcetype=nessus severity=critical OR severity=high earliest=-30d@mon latest=now| top 5 severity,dest_ip| where severity=critical| chart sum(count) by dest_ip,severity] </CODE></PRE> <P>However, the above lists again only machines with high vulns. Critical ones are missing.</P> <P>Could anyone help?</P> <P>Regards,<BR /> Evang</P> Mon, 01 Sep 2014 19:59:36 GMT https://community.splunk.com/t5/Splunk-Search/How-to-combine-the-outputs-of-two-searches-and-display-them-in-a/m-p/199089#M57636 evang_26 2014-09-01T19:59:36Z https://community.splunk.com/t5/Splunk-Search/How-to-combine-the-outputs-of-two-searches-and-display-them-in-a/m-p/199090#M57637 <P>Try this approach:</P> <PRE><CODE>sourcetype=nessus severity=high OR severity=critical earliest=-30d@mon latest=now | chart count by dest_ip severity | sort -high | streamstats count as rank_high | sort -critical | streamstats count as rank_critical | where rank_high &lt;= 10 OR rank_critical &lt;=10 | fields - rank_high rank_critical | addcoltotals high critical | sort -total </CODE></PRE> <P>This approach uses sorting plus <CODE>streamstats</CODE> to identify the top IPs based on high severity, plus the top based on critical severity. The <CODE>where</CODE> command keeps the top 10 in <EM>both</EM> groups. If you show this as a graphic chart, you may want to eliminate the last 2 lines, which calculates an overall total of the two categories.</P> <P>This should give you no more than 20 IPs in the resulting chart.</P> Tue, 02 Sep 2014 08:58:13 GMT https://community.splunk.com/t5/Splunk-Search/How-to-combine-the-outputs-of-two-searches-and-display-them-in-a/m-p/199090#M57637 lguinn2 2014-09-02T08:58:13Z https://community.splunk.com/t5/Splunk-Search/How-to-combine-the-outputs-of-two-searches-and-display-them-in-a/m-p/199091#M57638 <P>Hi lguinn,</P> <P>Wow, that worked amazingly!</P> <P>However, I haven't thought that it would be that (let's say ) advanced, using streamstats and staff. I'll keep that script though in my one-note to be processed for future queries.</P> <P>One more question though, how to eliminate 2 lines as you say? I am attempting to keep only dest_ip, critical and high fields but it doesn't work.</P> <P>Regards,<BR /> Evang</P> Tue, 02 Sep 2014 11:45:28 GMT https://community.splunk.com/t5/Splunk-Search/How-to-combine-the-outputs-of-two-searches-and-display-them-in-a/m-p/199091#M57638 evang_26 2014-09-02T11:45:28Z https://community.splunk.com/t5/Splunk-Search/How-to-combine-the-outputs-of-two-searches-and-display-them-in-a/m-p/199092#M57639 <P>I think what Iguinn meant was to delete the last two lines of the search string that was posted. Because this just calculates the totals of the columns.</P> <P>If you just want to keep certain fields, use the table or fields command after your search to achieve this. For example:</P> <PRE><CODE>... | table dest_ip critical high </CODE></PRE> Tue, 02 Sep 2014 12:01:43 GMT https://community.splunk.com/t5/Splunk-Search/How-to-combine-the-outputs-of-two-searches-and-display-them-in-a/m-p/199092#M57639 tom_frotscher 2014-09-02T12:01:43Z https://community.splunk.com/t5/Splunk-Search/How-to-combine-the-outputs-of-two-searches-and-display-them-in-a/m-p/199093#M57640 <P>Hi tom_frotscher,</P> <P>I tried with both of them,</P> <PRE><CODE>| fields dest_ip critical high | table dest_ip critical high </CODE></PRE> <P>It didn't worked. I tried also with a fieldnull, same thing.</P> <P>Regards,<BR /> Evang</P> Tue, 02 Sep 2014 12:09:24 GMT https://community.splunk.com/t5/Splunk-Search/How-to-combine-the-outputs-of-two-searches-and-display-them-in-a/m-p/199093#M57640 evang_26 2014-09-02T12:09:24Z https://community.splunk.com/t5/Splunk-Search/How-to-combine-the-outputs-of-two-searches-and-display-them-in-a/m-p/199094#M57641 <P>Try this:</P> <P><CODE>sourcetype=nessus severity=high OR severity=critical earliest=-30d@mon latest=now<BR /> | chart count by dest_ip severity<BR /> | sort -high <BR /> | streamstats count as rank_high<BR /> | sort -critical<BR /> | streamstats count as rank_critical<BR /> | where rank_high &lt;= 10 OR rank_critical &lt;=10<BR /> | fields - rank_high rank_critical</CODE></P> <P>It is a little complex! You really are combining two independent "Top Tens" - one based on critical severity and the other based on high severity. You could do this with other commands like <CODE>join</CODE> or <CODE>append</CODE> but this approach should be much more efficient and work with large data sets.</P> Tue, 02 Sep 2014 17:32:15 GMT https://community.splunk.com/t5/Splunk-Search/How-to-combine-the-outputs-of-two-searches-and-display-them-in-a/m-p/199094#M57641 lguinn2 2014-09-02T17:32:15Z https://community.splunk.com/t5/Splunk-Search/How-to-combine-the-outputs-of-two-searches-and-display-them-in-a/m-p/199095#M57642 <P>That worked!</P> <P>Thank you very much indeed lguinn.</P> <P>Hope some day I'll be able to help guys like me in the future!</P> <P>Regards,<BR /> Evang</P> Tue, 02 Sep 2014 18:21:22 GMT https://community.splunk.com/t5/Splunk-Search/How-to-combine-the-outputs-of-two-searches-and-display-them-in-a/m-p/199095#M57642 evang_26 2014-09-02T18:21:22Z