Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Having source ip from 3 sourcetypes, how do I combine them all in one field and table the results?

esmonder
Path Finder
‎10-11-2017 12:32 AM

I have source ips from 3 different log sources with 3 different field names.
I want to have all the values from the 3 sources to come under one (new) field so that i can table the new field for a dashboard
here is what i have done with coalesce, but doesn't seem to give me what i want.

(sourcetype=eStreamer priority=high) OR (sourcetype=incapsula CEF_Severity>=7) OR (sourcetype="symantec:ep:security:file"  severity=critical)
| iplocation src_ip 
| iplocation Source_address 
| iplocation src 
| where Country="Israel" 
| eval my_src_ip = coalesce(src_ip, Source_address,src)
| table _time, my_src_ip

src_ip and src has 21 values each, src has 4 values. but my_src_ip only has 4 values, where i should be expected 46 values
Obviously coalesce is the wrong command to use, but please point in the right direction! Thank you

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎10-11-2017 12:53 AM

Hi esmonder,
you can use coalesce function

 (sourcetype=eStreamer priority=high) OR (sourcetype=incapsula CEF_Severity>=7) OR (sourcetype="symantec:ep:security:file"  severity=critical)
| eval my_src_ip=coalesce(src, src_ip, Source_address)
| iplocation my_src_ip 
| where Country="Israel" 
| table _time, my_src_ip

Bye.
Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎10-11-2017 12:53 AM

Hi esmonder,
you can use coalesce function

 (sourcetype=eStreamer priority=high) OR (sourcetype=incapsula CEF_Severity>=7) OR (sourcetype="symantec:ep:security:file"  severity=critical)
| eval my_src_ip=coalesce(src, src_ip, Source_address)
| iplocation my_src_ip 
| where Country="Israel" 
| table _time, my_src_ip

Bye.
Giuseppe

Reply
Solved! Jump to solution

harsmarvania57
Ultra Champion
‎10-11-2017 12:38 AM

Try this 

(sourcetype=eStreamer priority=high) OR (sourcetype=incapsula CEF_Severity>=7) OR (sourcetype="symantec:ep:security:file"  severity=critical)
 | rename src_ip as src, Source_address as src
 | iplocation src 
 | where Country="Israel" 
 | table _time, src
0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...