Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Datamodel combine search

burakatabay
Path Finder
‎01-17-2020 03:14 PM

Hi Splunkers,

I want to use two datamodel search in same time. My problem ;
My search return Filesystem.process_id but also ı want to see process_name but not including in Endpoint->Filesystem Datamodel.
I want to fetch process_name in Endpoint->Processes datamodel in same search.

My base search is =
| tstats summariesonly=true allow_old_summaries=true pres count, min(_time) as firstTime, max(_time) as lastTime FROM datamodel=Endpoint.Filesystem BY "Filesystem.file_name", "Filesystem.file_path", "Filesystem.dest" Filesystem.process_id

An example output :

alt text

How I add Processes.process_name by Filesystem.process_id on this search?

Happy Hunting.

Preview file
22 KB
0 Karma
Reply

woodcock
Esteemed Legend
‎01-19-2020 02:44 PM

We really need to see more of your data but maybe this?

| tstats summariesonly=true allow_old_summaries=true pres count, min(_time) AS firstTime, max(_time) AS lastTime values(Filesystem.process_name) AS process_names
FROM datamodel=Endpoint.Filesystem
BY "Filesystem.file_name", "Filesystem.file_path", "Filesystem.dest", "Filesystem.process_id"
0 Karma
Reply

to4kawa
Ultra Champion
‎01-17-2020 06:20 PM 
| tstats summariesonly=true allow_old_summaries=true pres count, min(_time) as firstTime, max(_time) as lastTime FROM datamodel=Endpoint.Filesystem BY "Filesystem.file_name", "Filesystem.file_path", "Filesystem.dest" Filesystem.process_id
|append [ | tstats summariesonly=true allow_old_summaries=true pres count FROM datamodel=Endpoint.Processes BY "Processes.process_id", "Process.process_name"
| fields - count ]
| selfjoin process_id

Hi, @burakatabay
I haven't try this, and I don't understand pres in your query tstats
if pres is no need, please delete it.
maybe works. how about this?

0 Karma
Reply

burakatabay
Path Finder
‎01-19-2020 08:24 AM

thank you for answers ,
pres must have accidentally written. it's not in search.
but I think it is necessary to change the data model to solve the problem.
because Filesystem.process_id not in Processes.process_id.

0 Karma
Reply

to4kawa
Ultra Champion
‎01-19-2020 12:47 PM

I see. they are not same.
Is there another key field in both datamodels?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...

Splunk Developer Day announcements: AI agents, MCP tools, Forecasting, and Custom ...

Splunk Developer Day was packed with product and platform updates for developers building in the AI ...