Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

I have a common field name for different sources. How do I view results from one source for this particular field name?

rashid47010
Communicator
‎10-24-2016 08:47 AM

I have common signature fields for both devices (Palo Alto and McAfee IPS) in the results. I just want to see the results from McAfee IPS signature filed.

Please advise.

0 Karma
Reply

rashid47010
Communicator
‎10-24-2016 09:17 AM

I got my required results.
at this stage two things in my mind.

1- for singature filed it shows me the signature values from both index/sourcetypes. I want to see the signature from only mcafee IPS

2- how can I show the result where as both devices have different field name for result

0 Karma
Reply

aaraneta_splunk
Splunk Employee
Splunk Employee
‎12-01-2016 07:46 PM

@rashid47010 - Just to clarify: Did cusello's suggestion of using index=your_index sourcetype=ips | ... help get the "required results" to answer your question?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-24-2016 09:09 AM

Use
index=your_index sourcetype=ips | ...
Bye.
Giuseppe

0 Karma
Reply

somesoni2
Revered Legend
‎10-24-2016 08:50 AM

Both logs should have different sourcetype, so add mcafee IP specific sourcetype in your search (you can see the available sourcetypes of left field sidebar when you run the search).

0 Karma
Reply

rashid47010
Communicator
‎10-24-2016 09:07 AM

thanks for quick reply, below is my query:

index=paloalto_pa OR index=mcafee_ips src="2xx.xx.x.x1" | transaction src | stats count as "TOTAL_ATTEMPTS",values(dest) as DESTINATION,values(dest_translated_ip) as NATED_IP,values(threat_name),values(signature) by src

for paloalto and mcafee IPS i have common signature field. For paloalto the thread_name(paloalto) gives me more value instead showing signature.
now for mcafee IPS there is only signature field which is OK for me. now the results showing only signature field from paloalto not from mcafee IPS

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...