Getting Data In

How do you create a table that matches information from 2 different source types?

akelbr
Explorer

Community, need some help to work with 2 different source types .

I'm trying to run a search where I need to match information from 2 sources in 1 table.

What I'm trying to do is:

index=uberagent sourcetype=uberAgent:OnOffTransition:StandbyDetail2 
| search host=* 
| where TargetStateDisplayName = "Hibernate" 
| join host 
    [ search index=uberagent sourcetype=uberAgent:System:SystemPerformanceSummary2 
    | stats avg(CPUUsagePercent) as "%CPU Usage" 
    | stats avg(IOPercentDiskTime) as "%IO Time" 
    | stats avg(RAMUsagePercent) as "%RAM Usage" 
    |return "%CPU Usage", "%IO Time", ] 
| stats count(TargetStateDisplayName) as "Total Events" by host 
| rename TargetStateDisplayName as "Machine Event" 
| eval "Machine Event" = "Hibernate" 
| rename host as "Machine Name" 
| table
    "Machine Name"
    "Total Events"
    "%CPU Usage"
    "%RAM Usage"
    "%IO Time" 
| sort - "Total Events" 
| head 15

Note that I already tried to use sourcetype=A OR sourcetype=B, already tried to use the |Append and no success on this.

0 Karma
1 Solution

mayurr98
Super Champion

Your query seems to be very wrong. Can you try this :

index=uberagent (sourcetype=uberAgent:OnOffTransition:StandbyDetail2 host=* TargetStateDisplayName = "Hibernate") OR sourcetype=uberAgent:System:SystemPerformanceSummary2 
| stats count(TargetStateDisplayName) as "Total Events" avg(CPUUsagePercent) as "%CPU Usage" avg(IOPercentDiskTime) as "%IO Time" avg(RAMUsagePercent) as "%RAM Usage" by host 
| rename host as "Machine Name" 
| table "Machine Name" "Total Events" "%CPU Usage" "%RAM Usage" "%IO Time" 
| sort 15 - "Total Events"

If this does not work then share sample event from both sourcetypes and let me know the output you want to achieve.

View solution in original post

akelbr
Explorer

Thank you mayurr98! That is exactly what I need.

This multi sourcetypes was a little confused to me but now things are much clear.

0 Karma

mayurr98
Super Champion

Your query seems to be very wrong. Can you try this :

index=uberagent (sourcetype=uberAgent:OnOffTransition:StandbyDetail2 host=* TargetStateDisplayName = "Hibernate") OR sourcetype=uberAgent:System:SystemPerformanceSummary2 
| stats count(TargetStateDisplayName) as "Total Events" avg(CPUUsagePercent) as "%CPU Usage" avg(IOPercentDiskTime) as "%IO Time" avg(RAMUsagePercent) as "%RAM Usage" by host 
| rename host as "Machine Name" 
| table "Machine Name" "Total Events" "%CPU Usage" "%RAM Usage" "%IO Time" 
| sort 15 - "Total Events"

If this does not work then share sample event from both sourcetypes and let me know the output you want to achieve.

akelbr
Explorer

Thank you mayurr98 ! This is exactly what I need.

This multi sourcetypes was something confused for me, but know I can understand it much better.

Thanks again.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...