Splunk Search

How Do I Combine Two Different Data Models

OgoNARA
Explorer

I have two different data sets within the Updates data model. I catered a few panels within a dashboard that I use to collect the installed updates and update errors. I want to combine both of these searches into one by combining the datasets to correlate which machines are updating or occurring errors. Here's the two searches I have so far. 

Installed Updates: 

| datamodel Updates Updates search
| rename Updates.dvc as host
| rename Updates.status as "Update Status"
| rename Updates.vendor_product as Product
| rename Updates.signature as "Installed Update"
| eval isOutlier=if(lastTime <= relative_time(now(), "-60d@d"), 1, 0)
| `security_content_ctime(lastTime)`
| eval time = strftime(_time, "%m-%d-%y %H:%M:%S")
| search * host=$host$
| rename lastTime as "Last Update Time",
| table time host "Update Status" "Installed Update"
| `no_windows_updates_in_a_time_frame_filter`

Update Errors: 

| datamodel Updates Update_Errors search
| eval time = strftime(_time, "%m-%d-%y %H:%M:%S")
| search * host=$host$
| table _time, host, _raw,

OgoNARA_0-1726240729004.png

 

 

Labels (3)
0 Karma

PickleRick
SplunkTrust
SplunkTrust

1. What do you mean by "correlate" in this case? Just list results from both searches? Find which results occur at more or less the same time? Something else?

2. Moving the host=$host$ condition to the front gives Splunk bigger chance to optimize the search properly and not fetch from indexes the data it doesn't need further down the pipeline.

0 Karma

OgoNARA
Explorer
  1.  I'd say list them for now.
  2.  Thanks for the tips I need them I'm trying to get better with SPL 
0 Karma

PickleRick
SplunkTrust
SplunkTrust

If you just want to list both result sets in one table you need to combine two separate searches because datamodel is an event generating command. So it's either append (which has its limitations) or multisearch (but I'm not sure if you can use multisearch with datamodel)

yuanliu
SplunkTrust
SplunkTrust

I want to first point out that using raw events to correlate two different datasets usually do not end very well because the two datasets may not have exact matches in _time field.  If you are confident that the two datasets' _time field do not differ by a certain amount, using a time bucket could remedy that, although there can be other side effects you may need to deal with.

This said, if the data models have perfectly matching _time, you can use stats to correlate them.

| datamodel Updates Updates search
| rename Updates.dvc as host
| rename Updates.status as "Update Status"
| rename Updates.vendor_product as Product
| rename Updates.signature as "Installed Update"
| eval isOutlier=if(lastTime <= relative_time(now(), "-60d@d"), 1, 0)
| `security_content_ctime(lastTime)`
| eval time = strftime(_time, "%m-%d-%y %H:%M:%S")
| search * host=$host$
| rename lastTime as "Last Update Time",
| table time host "Update Status" "Installed Update"
| `no_windows_updates_in_a_time_frame_filter`
    [datamodel Updates Update_Errors search
    | eval time = strftime(_time, "%m-%d-%y %H:%M:%S")
    | search * host=$host$
    | table time, host, _raw]
| stats values(*) as * values(_raw) as _raw by time host
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...