Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Having source ip from 3 sourcetypes, how do I combine them all in one field and table the results?

esmonder
Path Finder
‎10-11-2017 12:32 AM

I have source ips from 3 different log sources with 3 different field names.
I want to have all the values from the 3 sources to come under one (new) field so that i can table the new field for a dashboard
here is what i have done with coalesce, but doesn't seem to give me what i want.

(sourcetype=eStreamer priority=high) OR (sourcetype=incapsula CEF_Severity>=7) OR (sourcetype="symantec:ep:security:file"  severity=critical)
| iplocation src_ip 
| iplocation Source_address 
| iplocation src 
| where Country="Israel" 
| eval my_src_ip = coalesce(src_ip, Source_address,src)
| table _time, my_src_ip

src_ip and src has 21 values each, src has 4 values. but my_src_ip only has 4 values, where i should be expected 46 values
Obviously coalesce is the wrong command to use, but please point in the right direction! Thank you

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
Esteemed Legend
‎10-11-2017 12:53 AM

Hi esmonder,
you can use coalesce function

 (sourcetype=eStreamer priority=high) OR (sourcetype=incapsula CEF_Severity>=7) OR (sourcetype="symantec:ep:security:file"  severity=critical)
| eval my_src_ip=coalesce(src, src_ip, Source_address)
| iplocation my_src_ip 
| where Country="Israel" 
| table _time, my_src_ip

Bye.
Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
Esteemed Legend
‎10-11-2017 12:53 AM

Hi esmonder,
you can use coalesce function

 (sourcetype=eStreamer priority=high) OR (sourcetype=incapsula CEF_Severity>=7) OR (sourcetype="symantec:ep:security:file"  severity=critical)
| eval my_src_ip=coalesce(src, src_ip, Source_address)
| iplocation my_src_ip 
| where Country="Israel" 
| table _time, my_src_ip

Bye.
Giuseppe

Reply
Solved! Jump to solution

harsmarvania57
SplunkTrust
SplunkTrust
‎10-11-2017 12:38 AM

Try this 

(sourcetype=eStreamer priority=high) OR (sourcetype=incapsula CEF_Severity>=7) OR (sourcetype="symantec:ep:security:file"  severity=critical)
 | rename src_ip as src, Source_address as src
 | iplocation src 
 | where Country="Israel" 
 | table _time, src
0 Karma
Reply
Get Updates on the Splunk Community!

Devesh Logendran, Splunk, and the Singapore Cyber Conquest

At this year’s Splunk University, I had the privilege of chatting with Devesh Logendran, one of the winners in ...

There's No Place Like Chrome and the Splunk Platform

WATCH NOW!Malware. Risky Extensions. Data Exfiltration. End-users are increasingly reliant on browsers to ...

Customer Experience | Join the Customer Advisory Board!

Are you ready to take your Splunk journey to the next level? 🚀 We invite you to join our elite squad ...