topic Re: How to get data from two or more data models in Splunk through a search? in Splunk Search

How to get data from two or more data models in Splunk through a search?

gitanjali — Tue, 02 Feb 2016 11:19:32 GMT

Hi,

Can anyone tell how I can get data from two or more data models in Splunk through a Splunk search?
Like I want to merge Vulnerabilities.signature, Malware.signature, and Intrusion_Detection.signature all in one column i.e. getting data from 3 different data models.

I tried using multisearch, pivots, and join, but nothing seems to work. I am trying to get a D3 partition layout on my dashboard and for that I need to have all sorts of signature values from different data models (Vulnerabilities, Malware, Intrusion_Detection) in just one column to plot that chart.

Please tell me how I can get that.

Thanks

Re: How to get data from two or more data models in Splunk through a search?

somesoni2 — Tue, 02 Feb 2016 23:44:41 GMT

You can fetch data from multiple data models like this (below will append the resultset of one data model with other, like append)

| multisearch [| datamodel internal_audit_logs Audit search  ] [| datamodel internal_server scheduler search ] | rest of the search

Re: How to get data from two or more data models in Splunk through a search?

gitanjali — Wed, 10 Feb 2016 08:24:31 GMT

Thanks, the query worked well.

Re: How to get data from two or more data models in Splunk through a search?

gitanjali — Wed, 10 Feb 2016 08:37:02 GMT

So to get the combined results from various datamodels, I used search command. But for this command to work, you need to keep the names of the resulting fields for all the subsearches to be same.

Syntax:

<serach> | append [<subsearch>]

eg :- Here I appended data from 3 datamodels and have renamed the resulting field for all subsearches as

| tstats summariesonly=true count from datamodel=Vulnerabilities by Vulnerabilities.dest|rename Vulnerabilities.dest as dest | append [| tstats summariesonly=true count from datamodel=Malware by Malware_Attacks.dest|rename Malware_Attacks.dest as dest] | append [| tstats summariesonly=true count from datamodel=Intrusion_Detection by IDS_Attacks.dest|rename IDS_Attacks.dest as dest]

Re: How to get data from two or more data models in Splunk through a search?

somesoni2 — Wed, 10 Feb 2016 16:02:48 GMT

You can just do this as well

| tstats summariesonly=true count from datamodel=Vulnerabilities by Vulnerabilities.dest | append [| tstats summariesonly=true count from datamodel=Malware by Malware_Attacks.dest] | append [| tstats summariesonly=true count from datamodel=Intrusion_Detection by IDS_Attacks.dest ] | eval desk=coalesce('Vulnerabilities.dest', 'Malware_Attacks.dest','IDS_Attacks.dest') | fields - *.dest

Re: How to get data from two or more data models in Splunk through a search?

gitanjali — Wed, 10 Feb 2016 17:40:31 GMT

yeah, it did the job as well.
Thanks again.

Re: How to get data from two or more data models in Splunk through a search?

cabauah — Thu, 28 Mar 2019 00:59:38 GMT

does multisearch have limit on the number of records it can combine? i.e 50k like append/subsearch

Re: How to get data from two or more data models in Splunk through a search?

landen99 — Thu, 05 Dec 2019 02:23:36 GMT

subsearch limitations

Re: How to get data from two or more data models in Splunk through a search?

landen99 — Thu, 05 Dec 2019 02:24:17 GMT

datamodel does not take advantage of datamodel accelerations

Re: How to get data from two or more data models in Splunk through a search?

landen99 — Thu, 05 Dec 2019 02:24:50 GMT

no limit.