Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Having source ip from 3 sourcetypes, how do I combine them all in one field and table the results?

esmonder
Path Finder
‎10-11-2017 12:32 AM

I have source ips from 3 different log sources with 3 different field names.
I want to have all the values from the 3 sources to come under one (new) field so that i can table the new field for a dashboard
here is what i have done with coalesce, but doesn't seem to give me what i want.

(sourcetype=eStreamer priority=high) OR (sourcetype=incapsula CEF_Severity>=7) OR (sourcetype="symantec:ep:security:file"  severity=critical)
| iplocation src_ip 
| iplocation Source_address 
| iplocation src 
| where Country="Israel" 
| eval my_src_ip = coalesce(src_ip, Source_address,src)
| table _time, my_src_ip

src_ip and src has 21 values each, src has 4 values. but my_src_ip only has 4 values, where i should be expected 46 values
Obviously coalesce is the wrong command to use, but please point in the right direction! Thank you

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎10-11-2017 12:53 AM

Hi esmonder,
you can use coalesce function

 (sourcetype=eStreamer priority=high) OR (sourcetype=incapsula CEF_Severity>=7) OR (sourcetype="symantec:ep:security:file"  severity=critical)
| eval my_src_ip=coalesce(src, src_ip, Source_address)
| iplocation my_src_ip 
| where Country="Israel" 
| table _time, my_src_ip

Bye.
Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎10-11-2017 12:53 AM

Hi esmonder,
you can use coalesce function

 (sourcetype=eStreamer priority=high) OR (sourcetype=incapsula CEF_Severity>=7) OR (sourcetype="symantec:ep:security:file"  severity=critical)
| eval my_src_ip=coalesce(src, src_ip, Source_address)
| iplocation my_src_ip 
| where Country="Israel" 
| table _time, my_src_ip

Bye.
Giuseppe

Reply
Solved! Jump to solution

harsmarvania57
SplunkTrust
SplunkTrust
‎10-11-2017 12:38 AM

Try this 

(sourcetype=eStreamer priority=high) OR (sourcetype=incapsula CEF_Severity>=7) OR (sourcetype="symantec:ep:security:file"  severity=critical)
 | rename src_ip as src, Source_address as src
 | iplocation src 
 | where Country="Israel" 
 | table _time, src
0 Karma
Reply
Get Updates on the Splunk Community!

Observability | How to Think About Instrumentation Overhead (White Paper)

Novice observability practitioners are often overly obsessed with performance. They might approach ...

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

IDC Report: Enterprises Gain Higher Efficiency and Resiliency With Migration to Cloud  Today many enterprises ...

The Great Resilience Quest: 10th Leaderboard Update

The tenth leaderboard update (11.23-12.05) for The Great Resilience Quest is out >> As our brave ...