Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Datamodel combine search

burakatabay
Path Finder
‎01-17-2020 03:14 PM

Hi Splunkers,

I want to use two datamodel search in same time. My problem ;
My search return Filesystem.process_id but also ı want to see process_name but not including in Endpoint->Filesystem Datamodel.
I want to fetch process_name in Endpoint->Processes datamodel in same search.

My base search is =
| tstats summariesonly=true allow_old_summaries=true pres count, min(_time) as firstTime, max(_time) as lastTime FROM datamodel=Endpoint.Filesystem BY "Filesystem.file_name", "Filesystem.file_path", "Filesystem.dest" Filesystem.process_id

An example output :

alt text

How I add Processes.process_name by Filesystem.process_id on this search?

Happy Hunting.

Preview file
1 KB
0 Karma
Reply

woodcock
Esteemed Legend
‎01-19-2020 02:44 PM

We really need to see more of your data but maybe this?

| tstats summariesonly=true allow_old_summaries=true pres count, min(_time) AS firstTime, max(_time) AS lastTime values(Filesystem.process_name) AS process_names
FROM datamodel=Endpoint.Filesystem
BY "Filesystem.file_name", "Filesystem.file_path", "Filesystem.dest", "Filesystem.process_id"
0 Karma
Reply

to4kawa
Ultra Champion
‎01-17-2020 06:20 PM 
| tstats summariesonly=true allow_old_summaries=true pres count, min(_time) as firstTime, max(_time) as lastTime FROM datamodel=Endpoint.Filesystem BY "Filesystem.file_name", "Filesystem.file_path", "Filesystem.dest" Filesystem.process_id
|append [ | tstats summariesonly=true allow_old_summaries=true pres count FROM datamodel=Endpoint.Processes BY "Processes.process_id", "Process.process_name"
| fields - count ]
| selfjoin process_id

Hi, @burakatabay
I haven't try this, and I don't understand pres in your query tstats
if pres is no need, please delete it.
maybe works. how about this?

0 Karma
Reply

burakatabay
Path Finder
‎01-19-2020 08:24 AM

thank you for answers ,
pres must have accidentally written. it's not in search.
but I think it is necessary to change the data model to solve the problem.
because Filesystem.process_id not in Processes.process_id.

0 Karma
Reply

to4kawa
Ultra Champion
‎01-19-2020 12:47 PM

I see. they are not same.
Is there another key field in both datamodels?

0 Karma
Reply
Get Updates on the Splunk Community!

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...