search |rename Name as Threat | stats count by Threat | sort -count
and
search |rename suser as User | stats count by User | sort -count
and
search | |rename dvchost as Host | stats count by Host | sort -count
the search is the same for all searches and I want the output to look like this:
Threat count User count Host count
PUP.Optional.ASK 36 CHollows 16 KVM 9974
PUM.Optional.DisableChromeUpdates 8 DFoghat 8 GIB 114
PUP.Optional.SuperOptimizer 4 AAerosmith 4 DWI 36
Exploit payload process blocked 1 FTelsa 4 STP 31
You haven't mentioned any common field to use join. If you still want to show them as you need, without any relation between the fields, you can go with "appendcols" See query below:
search..... |rename Name as Threat | stats count as ThreatCount by Threat | sort -ThreatCount |
appendcols [search ....|rename suser as User | stats count as UserCount by User | sort -UserCount ] |
appendcols [ search ..... |rename dvchost as Host | stats count as HostCount by Host | sort -HostCount]
Just changed the column names of count to make them unique
Hope this works
You need multireport
; try this:
search
| foreach Name suser dvchost [ eval <<FIELD>>=coalesce(<<FIELD>>, "NULL") ]
| stats count BY Name suser dvchost
| multireport
[ stats sum(count) AS count BY Name | sort 0 - count | rename Name AS Threat ]
[ stats sum(count) AS count BY suser | sort 0 - count | rename Name AS User ]
[ stats sum(count) AS count BY dvchost | sort 0 - count | rename Name AS Host ]
You haven't mentioned any common field to use join. If you still want to show them as you need, without any relation between the fields, you can go with "appendcols" See query below:
search..... |rename Name as Threat | stats count as ThreatCount by Threat | sort -ThreatCount |
appendcols [search ....|rename suser as User | stats count as UserCount by User | sort -UserCount ] |
appendcols [ search ..... |rename dvchost as Host | stats count as HostCount by Host | sort -HostCount]
Just changed the column names of count to make them unique
Hope this works
I will highly recommend against this method, very heavy search and unnecessary subsearch. also take into consideration the subsearch limitations. read more here:
https://docs.splunk.com/Documentation/Splunk/7.2.3/Search/Aboutsubsearches#Subsearch_performance_con...
try this:
... your search ... | stats count(Name) as Threats count(suser) as User count(dvchost) as Host ...
that will make your search more efficient and 1 search is enough. no join
, no rename
hope it helps