Splunk Search

How Do I Combine Two Different Data Models

OgoNARA
Explorer

I have two different data sets within the Updates data model. I catered a few panels within a dashboard that I use to collect the installed updates and update errors. I want to combine both of these searches into one by combining the datasets to correlate which machines are updating or occurring errors. Here's the two searches I have so far. 

Installed Updates: 

| datamodel Updates Updates search
| rename Updates.dvc as host
| rename Updates.status as "Update Status"
| rename Updates.vendor_product as Product
| rename Updates.signature as "Installed Update"
| eval isOutlier=if(lastTime <= relative_time(now(), "-60d@d"), 1, 0)
| `security_content_ctime(lastTime)`
| eval time = strftime(_time, "%m-%d-%y %H:%M:%S")
| search * host=$host$
| rename lastTime as "Last Update Time",
| table time host "Update Status" "Installed Update"
| `no_windows_updates_in_a_time_frame_filter`

Update Errors: 

| datamodel Updates Update_Errors search
| eval time = strftime(_time, "%m-%d-%y %H:%M:%S")
| search * host=$host$
| table _time, host, _raw,

OgoNARA_0-1726240729004.png

 

 

Labels (3)
0 Karma

PickleRick
SplunkTrust
SplunkTrust

1. What do you mean by "correlate" in this case? Just list results from both searches? Find which results occur at more or less the same time? Something else?

2. Moving the host=$host$ condition to the front gives Splunk bigger chance to optimize the search properly and not fetch from indexes the data it doesn't need further down the pipeline.

0 Karma

OgoNARA
Explorer
  1.  I'd say list them for now.
  2.  Thanks for the tips I need them I'm trying to get better with SPL 
0 Karma

PickleRick
SplunkTrust
SplunkTrust

If you just want to list both result sets in one table you need to combine two separate searches because datamodel is an event generating command. So it's either append (which has its limitations) or multisearch (but I'm not sure if you can use multisearch with datamodel)

yuanliu
SplunkTrust
SplunkTrust

I want to first point out that using raw events to correlate two different datasets usually do not end very well because the two datasets may not have exact matches in _time field.  If you are confident that the two datasets' _time field do not differ by a certain amount, using a time bucket could remedy that, although there can be other side effects you may need to deal with.

This said, if the data models have perfectly matching _time, you can use stats to correlate them.

| datamodel Updates Updates search
| rename Updates.dvc as host
| rename Updates.status as "Update Status"
| rename Updates.vendor_product as Product
| rename Updates.signature as "Installed Update"
| eval isOutlier=if(lastTime <= relative_time(now(), "-60d@d"), 1, 0)
| `security_content_ctime(lastTime)`
| eval time = strftime(_time, "%m-%d-%y %H:%M:%S")
| search * host=$host$
| rename lastTime as "Last Update Time",
| table time host "Update Status" "Installed Update"
| `no_windows_updates_in_a_time_frame_filter`
    [datamodel Updates Update_Errors search
    | eval time = strftime(_time, "%m-%d-%y %H:%M:%S")
    | search * host=$host$
    | table time, host, _raw]
| stats values(*) as * values(_raw) as _raw by time host
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...