Splunk Search

Datamodel combine search

burakatabay
Path Finder

Hi Splunkers,

I want to use two datamodel search in same time. My problem ;
My search return Filesystem.process_id but also ı want to see process_name but not including in Endpoint->Filesystem Datamodel.
I want to fetch process_name in Endpoint->Processes datamodel in same search.

My base search is =
| tstats summariesonly=true allow_old_summaries=true pres count, min(_time) as firstTime, max(_time) as lastTime FROM datamodel=Endpoint.Filesystem BY "Filesystem.file_name", "Filesystem.file_path", "Filesystem.dest" Filesystem.process_id

An example output :

alt text

How I add Processes.process_name by Filesystem.process_id on this search?

Happy Hunting.

0 Karma

woodcock
Esteemed Legend

We really need to see more of your data but maybe this?

| tstats summariesonly=true allow_old_summaries=true pres count, min(_time) AS firstTime, max(_time) AS lastTime values(Filesystem.process_name) AS process_names
FROM datamodel=Endpoint.Filesystem
BY "Filesystem.file_name", "Filesystem.file_path", "Filesystem.dest", "Filesystem.process_id"
0 Karma

to4kawa
Ultra Champion
| tstats summariesonly=true allow_old_summaries=true pres count, min(_time) as firstTime, max(_time) as lastTime FROM datamodel=Endpoint.Filesystem BY "Filesystem.file_name", "Filesystem.file_path", "Filesystem.dest" Filesystem.process_id
|append [ | tstats summariesonly=true allow_old_summaries=true pres count FROM datamodel=Endpoint.Processes BY "Processes.process_id", "Process.process_name"
| fields - count ]
| selfjoin process_id

Hi, @burakatabay
I haven't try this, and I don't understand pres in your query tstats
if pres is no need, please delete it.
maybe works. how about this?

0 Karma

burakatabay
Path Finder

thank you for answers ,
pres must have accidentally written. it's not in search.
but I think it is necessary to change the data model to solve the problem.
because Filesystem.process_id not in Processes.process_id.

0 Karma

to4kawa
Ultra Champion

I see. they are not same.
Is there another key field in both datamodels?

0 Karma
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...