Solved: Windows performance data

bernardoortega · ‎05-03-2017

Hello,
I have enabled performance data from one windows hosts to test it.
If i search for index=windows i got 13 sources(process,service,inbound,outbound,disk,etc) and 4 different sourcetypes: (i have enabled listening ports and apps)
WinNetMon
WinHostMon
Script:ListeningPorts
Script:InstalledApps

Now, if i do a search like this:

index=windows sourcetype="Script:ListeningPorts" | dedup dest_port |table dest_port,process_id
I got the listening port number and thge process_id (pid) in a table.
If i want to see what the process_id=2220 is bound to which software i do this:

index=windows sourcetype=WinHostMon source=process ProcessId=2220 | table CommandLine

Will show me the pid 2220 and commandline, which is the Terminal service in this case

As you can see there are two fields: process_id and ProcessId with the same pid number.

I need to do a search in a table to show: dest_port, ProcessId,CommandLine

But as they are coming from different sourcetypes and sources i cannot figure it out how to do it.

thanks guys

adonio · ‎05-03-2017

hello bernardoortega,
I think a better headline to this question will be: "How to join 2 search results with no matching fields" or something of that sort.
with that being said, I relied here on a solution by @DalJeanis on a different question here: https://answers.splunk.com/answers/500980/how-to-join-two-searches-with-no-common-field.html
here is the search:

 index=windows sourcetype="Script:ListeningPorts" process_id=*
     | table process_id dest_port 
     | join type=left ProcessId 
       [
            | search index=windows sourcetype=WinHostMon source=process ProcessId=* 
            | stats count by  ProcessId CommandLine | rename ProcessId as process_id
        ]
     | table process_id dest_port CommandLine

and here is a screenshot:

View solution in original post

adonio · ‎05-03-2017

hello bernardoortega,
I think a better headline to this question will be: "How to join 2 search results with no matching fields" or something of that sort.
with that being said, I relied here on a solution by @DalJeanis on a different question here: https://answers.splunk.com/answers/500980/how-to-join-two-searches-with-no-common-field.html
here is the search:

 index=windows sourcetype="Script:ListeningPorts" process_id=*
     | table process_id dest_port 
     | join type=left ProcessId 
       [
            | search index=windows sourcetype=WinHostMon source=process ProcessId=* 
            | stats count by  ProcessId CommandLine | rename ProcessId as process_id
        ]
     | table process_id dest_port CommandLine

and here is a screenshot:

bernardoortega · ‎05-04-2017

You are right that the title should be named different. Anyway, it worked well, thanks so much for the info.

adonio · ‎05-04-2017

if that is the case,
kindly mark the question as answered
happy it works for you!

DalJeanis · ‎05-03-2017

@adonio - Thanks for the shout out. Shouldn't line 3 be | join type=left process_id ?

I'm guessing that it worked only because ProcessId was null in both files and process_id existed with matching keys...

adonio · ‎05-03-2017

Yes, you are correct!
also missed the | dedup requirement in the search i question. so here it is again!

  index=windows sourcetype="Script:ListeningPorts" process_id=*
     | dedup process_id
     | table process_id dest_port 
      | join type=left process_id 
       [| search index=windows sourcetype=WinHostMon source=process ProcessId=* | stats count by  ProcessId CommandLine | rename ProcessId as process_id ]
     | table process_id dest_port CommandLine

Windows performance data

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

Logs to Metrics

Developer Spotlight with Paul Stout