I am new to splunk and right now trying to create a dashboard for IT.
I have different csv file for AV, PAtch, Software Installed.
I am able to individually upload all the csv files into same index and perform search operation to calculate the AVNotInstalled_status, PatchNotInstalled_status, SoftwareInstalledExpired_status.
But when I want to combine the AV Patch and SW status fields by joining the search queries as I have written, I am not able to get the desired combination.
ANy help Appreciated.
P.S. I am new to the Splunk Help, Please let me know if I need to provide any more information, I cant share data or search queries due to confidentiality agreements
OKay, here is what you need to give us, at a minimum, for us to be able to help.
1) The format of each of the files, with non-confidential sample data. Mark them each with the code button (101 010) so they stay formatted the way you want them. You could also indent them by four or more spaces and that will work too.
2) What your current code is (mark it as code, same way.)
3) What your current output is (same).
If you understand your data, then you can get us non-confidential versions of it. You really need to break the problem down into a "toy" problem, with a minimum number of fields. The fields can be called "foo" and "bar", or "field1" and "field2", or "animal" and "flower", it doesn't matter.
Before you try to do that, go read my response on this one, which tells you somewhat how to think about writing splunk queries:
I had raised another query before this one was answered. I have also added comments as you have suggested.
please refer to that query and provide me guidance.
without further and much more detailed information, it is impossible to help you. If you cannot share the search nor the data, then there is not much we can do