Splunk Search
Highlighted

Datamodel combine search

Path Finder

Hi Splunkers,

I want to use two datamodel search in same time. My problem ;
My search return Filesystem.processid but also ı want to see processname but not including in Endpoint->Filesystem Datamodel.
I want to fetch process_name in Endpoint->Processes datamodel in same search.

My base search is =
| tstats summariesonly=true allowoldsummaries=true pres count, min(time) as firstTime, max(time) as lastTime FROM datamodel=Endpoint.Filesystem BY "Filesystem.filename", "Filesystem.filepath", "Filesystem.dest" Filesystem.process_id

An example output :

alt text

How I add Processes.processname by Filesystem.processid on this search?

Happy Hunting.

0 Karma
Highlighted

Re: Datamodel combine search

Ultra Champion
| tstats summariesonly=true allow_old_summaries=true pres count, min(_time) as firstTime, max(_time) as lastTime FROM datamodel=Endpoint.Filesystem BY "Filesystem.file_name", "Filesystem.file_path", "Filesystem.dest" Filesystem.process_id
|append [ | tstats summariesonly=true allow_old_summaries=true pres count FROM datamodel=Endpoint.Processes BY "Processes.process_id", "Process.process_name"
| fields - count ]
| selfjoin process_id

Hi, @burakatabay
I haven't try this, and I don't understand pres in your query tstats
if pres is no need, please delete it.
maybe works. how about this?

0 Karma
Highlighted

Re: Datamodel combine search

Path Finder

thank you for answers ,
pres must have accidentally written. it's not in search.
but I think it is necessary to change the data model to solve the problem.
because Filesystem.processid not in Processes.processid.

0 Karma
Highlighted

Re: Datamodel combine search

Ultra Champion

I see. they are not same.
Is there another key field in both datamodels?

0 Karma
Highlighted

Re: Datamodel combine search

Esteemed Legend

We really need to see more of your data but maybe this?

| tstats summariesonly=true allow_old_summaries=true pres count, min(_time) AS firstTime, max(_time) AS lastTime values(Filesystem.process_name) AS process_names
FROM datamodel=Endpoint.Filesystem
BY "Filesystem.file_name", "Filesystem.file_path", "Filesystem.dest", "Filesystem.process_id"
0 Karma