Splunk Search

Combining different searches into one search with different sources to produce one table view?

Hudond
Path Finder

Hello

I wanted to request some assistance with the topic of combining different searches from the same index and same sourcetype but different sources into a table or report even.

I struggle with the concept of combining them.

I have researched joins, stats, charts etc. but I am trying to implement them and am getting errors for which I am missing a point making me unsure of how to combine effectively to get the results I need. 

So any guidance or information that may assist me to learn properly would be very helpful.

I have the following separate searches that give me the results I need:

====================================

Storage
index="SRV" sourcetype=WinHostMon source=disk DriveType=fixed TotalSpaceKB="*"
| eval TotalSpaceKB = round (TotalSpaceKB/100000000)
| stats sum(TotalSpaceKB) as "TotalSpace (GB)" by host

OS
index="SRV" sourcetype=WinHostMon source=operatingsystem os="*"
| dedup host
| table host os

CPU
index="SRV" sourcetype=WinHostMon source=processor NumberOfProcessors="*"
| dedup host
| table host NumberOfProcessors

Memory
index="SRV" sourcetype=WinHostMon source=operatingsystem TotalPhysicalMemoryKB="*"
| dedup host
| eval "TotalPhysicalMemory (GB)" = round (((TotalPhysicalMemoryKB)/1000000),1)
| table host "TotalPhysicalMemory (GB)"

=============================

My end goal is to provide a single table or report with the following columns

Host, OS, Number of Processors, total physical memory, total storage 

Thank you

Dan

Labels (4)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @Hudond,

You don't need to run different searches because you can take data in one search something like this:

index="SRV" sourcetype=WinHostMon 
| stats sum(TotalSpaceKB) as "TotalSpace (GB)" values(os) AS os values(NumberOfProcessors) AS NumberOfProcessors values("TotalPhysicalMemory (GB)") AS "TotalPhysicalMemory (GB)" by host
| eval TotalSpaceKB = round (TotalSpaceKB/100000000), "TotalPhysicalMemory (GB)" = round (((TotalPhysicalMemoryKB)/1000000),1)

Storage CPU, memory and OS are static data , so I hint to schedule this search and put results in a lookup, in this way you'll have all the data quickly usable without rerun the search.

In addition: Splunk isn't a DB where data are separated, using Splunk you have to think in a different way!

Ciao.

Giuseppe

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi @Hudond,

You don't need to run different searches because you can take data in one search something like this:

index="SRV" sourcetype=WinHostMon 
| stats sum(TotalSpaceKB) as "TotalSpace (GB)" values(os) AS os values(NumberOfProcessors) AS NumberOfProcessors values("TotalPhysicalMemory (GB)") AS "TotalPhysicalMemory (GB)" by host
| eval TotalSpaceKB = round (TotalSpaceKB/100000000), "TotalPhysicalMemory (GB)" = round (((TotalPhysicalMemoryKB)/1000000),1)

Storage CPU, memory and OS are static data , so I hint to schedule this search and put results in a lookup, in this way you'll have all the data quickly usable without rerun the search.

In addition: Splunk isn't a DB where data are separated, using Splunk you have to think in a different way!

Ciao.

Giuseppe

Hudond
Path Finder

Thank you Giuseppe, that helped lead me in the right direction.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Hudond,

good for you.

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...