Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Datamodel combine search

burakatabay
Path Finder
‎01-17-2020 03:14 PM

Hi Splunkers,

I want to use two datamodel search in same time. My problem ;
My search return Filesystem.process_id but also ı want to see process_name but not including in Endpoint->Filesystem Datamodel.
I want to fetch process_name in Endpoint->Processes datamodel in same search.

My base search is =
| tstats summariesonly=true allow_old_summaries=true pres count, min(_time) as firstTime, max(_time) as lastTime FROM datamodel=Endpoint.Filesystem BY "Filesystem.file_name", "Filesystem.file_path", "Filesystem.dest" Filesystem.process_id

An example output :

alt text

How I add Processes.process_name by Filesystem.process_id on this search?

Happy Hunting.

Preview file
22 KB
0 Karma
Reply

woodcock
Esteemed Legend
‎01-19-2020 02:44 PM

We really need to see more of your data but maybe this?

| tstats summariesonly=true allow_old_summaries=true pres count, min(_time) AS firstTime, max(_time) AS lastTime values(Filesystem.process_name) AS process_names
FROM datamodel=Endpoint.Filesystem
BY "Filesystem.file_name", "Filesystem.file_path", "Filesystem.dest", "Filesystem.process_id"
0 Karma
Reply

to4kawa
Ultra Champion
‎01-17-2020 06:20 PM 
| tstats summariesonly=true allow_old_summaries=true pres count, min(_time) as firstTime, max(_time) as lastTime FROM datamodel=Endpoint.Filesystem BY "Filesystem.file_name", "Filesystem.file_path", "Filesystem.dest" Filesystem.process_id
|append [ | tstats summariesonly=true allow_old_summaries=true pres count FROM datamodel=Endpoint.Processes BY "Processes.process_id", "Process.process_name"
| fields - count ]
| selfjoin process_id

Hi, @burakatabay
I haven't try this, and I don't understand pres in your query tstats
if pres is no need, please delete it.
maybe works. how about this?

0 Karma
Reply

burakatabay
Path Finder
‎01-19-2020 08:24 AM

thank you for answers ,
pres must have accidentally written. it's not in search.
but I think it is necessary to change the data model to solve the problem.
because Filesystem.process_id not in Processes.process_id.

0 Karma
Reply

to4kawa
Ultra Champion
‎01-19-2020 12:47 PM

I see. they are not same.
Is there another key field in both datamodels?

0 Karma
Reply
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...