Splunk Search

Combining different searches into one search with different sources to produce one table view?

Hudond
Path Finder

Hello

I wanted to request some assistance with the topic of combining different searches from the same index and same sourcetype but different sources into a table or report even.

I struggle with the concept of combining them.

I have researched joins, stats, charts etc. but I am trying to implement them and am getting errors for which I am missing a point making me unsure of how to combine effectively to get the results I need. 

So any guidance or information that may assist me to learn properly would be very helpful.

I have the following separate searches that give me the results I need:

====================================

Storage
index="SRV" sourcetype=WinHostMon source=disk DriveType=fixed TotalSpaceKB="*"
| eval TotalSpaceKB = round (TotalSpaceKB/100000000)
| stats sum(TotalSpaceKB) as "TotalSpace (GB)" by host

OS
index="SRV" sourcetype=WinHostMon source=operatingsystem os="*"
| dedup host
| table host os

CPU
index="SRV" sourcetype=WinHostMon source=processor NumberOfProcessors="*"
| dedup host
| table host NumberOfProcessors

Memory
index="SRV" sourcetype=WinHostMon source=operatingsystem TotalPhysicalMemoryKB="*"
| dedup host
| eval "TotalPhysicalMemory (GB)" = round (((TotalPhysicalMemoryKB)/1000000),1)
| table host "TotalPhysicalMemory (GB)"

=============================

My end goal is to provide a single table or report with the following columns

Host, OS, Number of Processors, total physical memory, total storage 

Thank you

Dan

Labels (4)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @Hudond,

You don't need to run different searches because you can take data in one search something like this:

index="SRV" sourcetype=WinHostMon 
| stats sum(TotalSpaceKB) as "TotalSpace (GB)" values(os) AS os values(NumberOfProcessors) AS NumberOfProcessors values("TotalPhysicalMemory (GB)") AS "TotalPhysicalMemory (GB)" by host
| eval TotalSpaceKB = round (TotalSpaceKB/100000000), "TotalPhysicalMemory (GB)" = round (((TotalPhysicalMemoryKB)/1000000),1)

Storage CPU, memory and OS are static data , so I hint to schedule this search and put results in a lookup, in this way you'll have all the data quickly usable without rerun the search.

In addition: Splunk isn't a DB where data are separated, using Splunk you have to think in a different way!

Ciao.

Giuseppe

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi @Hudond,

You don't need to run different searches because you can take data in one search something like this:

index="SRV" sourcetype=WinHostMon 
| stats sum(TotalSpaceKB) as "TotalSpace (GB)" values(os) AS os values(NumberOfProcessors) AS NumberOfProcessors values("TotalPhysicalMemory (GB)") AS "TotalPhysicalMemory (GB)" by host
| eval TotalSpaceKB = round (TotalSpaceKB/100000000), "TotalPhysicalMemory (GB)" = round (((TotalPhysicalMemoryKB)/1000000),1)

Storage CPU, memory and OS are static data , so I hint to schedule this search and put results in a lookup, in this way you'll have all the data quickly usable without rerun the search.

In addition: Splunk isn't a DB where data are separated, using Splunk you have to think in a different way!

Ciao.

Giuseppe

Hudond
Path Finder

Thank you Giuseppe, that helped lead me in the right direction.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Hudond,

good for you.

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉

Get Updates on the Splunk Community!

Splunk is Nurturing Tomorrow’s Cybersecurity Leaders Today

Meet Carol Wright. She leads the Splunk Academic Alliance program at Splunk. The Splunk Academic Alliance ...

Part 2: A Guide to Maximizing Splunk IT Service Intelligence

Welcome to the second segment of our guide. In Part 1, we covered the essentials of getting started with ITSI ...

Part 1: A Guide to Maximizing Splunk IT Service Intelligence

As modern IT environments continue to grow in complexity and speed, the ability to efficiently manage and ...