Splunk Search

Combining different searches into one search with different sources to produce one table view?

Hudond
Path Finder

Hello

I wanted to request some assistance with the topic of combining different searches from the same index and same sourcetype but different sources into a table or report even.

I struggle with the concept of combining them.

I have researched joins, stats, charts etc. but I am trying to implement them and am getting errors for which I am missing a point making me unsure of how to combine effectively to get the results I need. 

So any guidance or information that may assist me to learn properly would be very helpful.

I have the following separate searches that give me the results I need:

====================================

Storage
index="SRV" sourcetype=WinHostMon source=disk DriveType=fixed TotalSpaceKB="*"
| eval TotalSpaceKB = round (TotalSpaceKB/100000000)
| stats sum(TotalSpaceKB) as "TotalSpace (GB)" by host

OS
index="SRV" sourcetype=WinHostMon source=operatingsystem os="*"
| dedup host
| table host os

CPU
index="SRV" sourcetype=WinHostMon source=processor NumberOfProcessors="*"
| dedup host
| table host NumberOfProcessors

Memory
index="SRV" sourcetype=WinHostMon source=operatingsystem TotalPhysicalMemoryKB="*"
| dedup host
| eval "TotalPhysicalMemory (GB)" = round (((TotalPhysicalMemoryKB)/1000000),1)
| table host "TotalPhysicalMemory (GB)"

=============================

My end goal is to provide a single table or report with the following columns

Host, OS, Number of Processors, total physical memory, total storage 

Thank you

Dan

Labels (4)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @Hudond,

You don't need to run different searches because you can take data in one search something like this:

index="SRV" sourcetype=WinHostMon 
| stats sum(TotalSpaceKB) as "TotalSpace (GB)" values(os) AS os values(NumberOfProcessors) AS NumberOfProcessors values("TotalPhysicalMemory (GB)") AS "TotalPhysicalMemory (GB)" by host
| eval TotalSpaceKB = round (TotalSpaceKB/100000000), "TotalPhysicalMemory (GB)" = round (((TotalPhysicalMemoryKB)/1000000),1)

Storage CPU, memory and OS are static data , so I hint to schedule this search and put results in a lookup, in this way you'll have all the data quickly usable without rerun the search.

In addition: Splunk isn't a DB where data are separated, using Splunk you have to think in a different way!

Ciao.

Giuseppe

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi @Hudond,

You don't need to run different searches because you can take data in one search something like this:

index="SRV" sourcetype=WinHostMon 
| stats sum(TotalSpaceKB) as "TotalSpace (GB)" values(os) AS os values(NumberOfProcessors) AS NumberOfProcessors values("TotalPhysicalMemory (GB)") AS "TotalPhysicalMemory (GB)" by host
| eval TotalSpaceKB = round (TotalSpaceKB/100000000), "TotalPhysicalMemory (GB)" = round (((TotalPhysicalMemoryKB)/1000000),1)

Storage CPU, memory and OS are static data , so I hint to schedule this search and put results in a lookup, in this way you'll have all the data quickly usable without rerun the search.

In addition: Splunk isn't a DB where data are separated, using Splunk you have to think in a different way!

Ciao.

Giuseppe

Hudond
Path Finder

Thank you Giuseppe, that helped lead me in the right direction.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Hudond,

good for you.

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉

Get Updates on the Splunk Community!

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...

Enterprise Security Content Update (ESCU) | New Releases

In October, the Splunk Threat Research Team had one release of new security content via the Enterprise ...