I have two different data sets within the Updates data model. I catered a few panels within a dashboard that I use to collect the installed updates and update errors. I want to combine both of these searches into one by combining the datasets to correlate which machines are updating or occurring errors. Here's the two searches I have so far.
Installed Updates:
| datamodel Updates Updates search
| rename Updates.dvc as host
| rename Updates.status as "Update Status"
| rename Updates.vendor_product as Product
| rename Updates.signature as "Installed Update"
| eval isOutlier=if(lastTime <= relative_time(now(), "-60d@d"), 1, 0)
| `security_content_ctime(lastTime)`
| eval time = strftime(_time, "%m-%d-%y %H:%M:%S")
| search * host=$host$
| rename lastTime as "Last Update Time",
| table time host "Update Status" "Installed Update"
| `no_windows_updates_in_a_time_frame_filter`
Update Errors:
| datamodel Updates Update_Errors search
| eval time = strftime(_time, "%m-%d-%y %H:%M:%S")
| search * host=$host$
| table _time, host, _raw,
1. What do you mean by "correlate" in this case? Just list results from both searches? Find which results occur at more or less the same time? Something else?
2. Moving the host=$host$ condition to the front gives Splunk bigger chance to optimize the search properly and not fetch from indexes the data it doesn't need further down the pipeline.
If you just want to list both result sets in one table you need to combine two separate searches because datamodel is an event generating command. So it's either append (which has its limitations) or multisearch (but I'm not sure if you can use multisearch with datamodel)
I want to first point out that using raw events to correlate two different datasets usually do not end very well because the two datasets may not have exact matches in _time field. If you are confident that the two datasets' _time field do not differ by a certain amount, using a time bucket could remedy that, although there can be other side effects you may need to deal with.
This said, if the data models have perfectly matching _time, you can use stats to correlate them.
| datamodel Updates Updates search
| rename Updates.dvc as host
| rename Updates.status as "Update Status"
| rename Updates.vendor_product as Product
| rename Updates.signature as "Installed Update"
| eval isOutlier=if(lastTime <= relative_time(now(), "-60d@d"), 1, 0)
| `security_content_ctime(lastTime)`
| eval time = strftime(_time, "%m-%d-%y %H:%M:%S")
| search * host=$host$
| rename lastTime as "Last Update Time",
| table time host "Update Status" "Installed Update"
| `no_windows_updates_in_a_time_frame_filter`
[datamodel Updates Update_Errors search
| eval time = strftime(_time, "%m-%d-%y %H:%M:%S")
| search * host=$host$
| table time, host, _raw]
| stats values(*) as * values(_raw) as _raw by time host