Getting Data In

Having source ip from 3 sourcetypes, how do I combine them all in one field and table the results?

esmonder
Path Finder

I have source ips from 3 different log sources with 3 different field names.
I want to have all the values from the 3 sources to come under one (new) field so that i can table the new field for a dashboard
here is what i have done with coalesce, but doesn't seem to give me what i want.

(sourcetype=eStreamer priority=high) OR (sourcetype=incapsula CEF_Severity>=7) OR (sourcetype="symantec:ep:security:file"  severity=critical)
| iplocation src_ip 
| iplocation Source_address 
| iplocation src 
| where Country="Israel" 
| eval my_src_ip = coalesce(src_ip, Source_address,src)
| table _time, my_src_ip

src_ip and src has 21 values each, src has 4 values. but my_src_ip only has 4 values, where i should be expected 46 values
Obviously coalesce is the wrong command to use, but please point in the right direction! Thank you

0 Karma
1 Solution

gcusello
Legend

Hi esmonder,
you can use coalesce function

 (sourcetype=eStreamer priority=high) OR (sourcetype=incapsula CEF_Severity>=7) OR (sourcetype="symantec:ep:security:file"  severity=critical)
| eval my_src_ip=coalesce(src, src_ip, Source_address)
| iplocation my_src_ip 
| where Country="Israel" 
| table _time, my_src_ip

Bye.
Giuseppe

View solution in original post

gcusello
Legend

Hi esmonder,
you can use coalesce function

 (sourcetype=eStreamer priority=high) OR (sourcetype=incapsula CEF_Severity>=7) OR (sourcetype="symantec:ep:security:file"  severity=critical)
| eval my_src_ip=coalesce(src, src_ip, Source_address)
| iplocation my_src_ip 
| where Country="Israel" 
| table _time, my_src_ip

Bye.
Giuseppe

View solution in original post

harsmarvania57
SplunkTrust
SplunkTrust

Try this

(sourcetype=eStreamer priority=high) OR (sourcetype=incapsula CEF_Severity>=7) OR (sourcetype="symantec:ep:security:file"  severity=critical)
 | rename src_ip as src, Source_address as src
 | iplocation src 
 | where Country="Israel" 
 | table _time, src
0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!