Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I make a couple of indices in one table?

eyaluodba
Path Finder
‎05-23-2017 12:45 PM

Is it possible to have two different indices and have results in a single table? The Indices are...

index=_internal source=*web_access.log* /app/  action=edit | rex  "/app/(?<app_name>.\w+)/(?<dashboard_name>.\w+)" | table dashboard_name, _time, app_name, user

and 

index=_audit action=search info=granted search=* NOT "search_id='scheduler" NOT "search='|history" NOT "user=splunk-system-user" NOT "search='typeahead" NOT "search='| metadata type=* | search totalCount>0" | rex field=search "index=(?P<search_index>[^ ]+)" | stats count by search_index | sort - count| table search_index user

Please let me know! Thank you so much.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎05-23-2017 01:05 PM

You can join searches many ways but almost all of them are subjected to the 50Kish event limit so beware this:

index=_internal source=*web_access.log* /app/ action=edit 
| rex "/app/(?<app_name>.\w+)/(?<dashboard_name>.\w+)" 
| table dashboard_name, _time, app_name, user 
| append 
[ search index=_audit action=search info=granted search=* NOT "search_id='scheduler" NOT "search='|history" NOT "user=splunk-system-user" NOT "search='typeahead" NOT "search='| metadata type=* | search totalCount>0" 
| rex field=search "index=(?P<search_index>[^ ]+)" 
| stats count by search_index 
| sort - count 
| table search_index user]

View solution in original post

0 Karma
Reply
Solved! Jump to solution

MuS
SplunkTrust
SplunkTrust
‎05-23-2017 01:08 PM

Hi eyaluodba,

Sure, read more about the topic in this answer https://answers.splunk.com/answers/129424/how-to-compare-fields-over-multiple-sourcetypes-without-jo... or in the Virtual .conf March 2016 session over here http://wiki.splunk.com/Virtual_.conf

For a start just combine your base searches:

( index=_internal source=*web_access.log* /app/  action=edit ) OR ( index=_audit action=search info=granted search=* NOT "search_id='scheduler" NOT "search='|history" NOT "user=splunk-system-user" NOT "search='typeahead" NOT "search='| metadata type=* | search totalCount>0" )

followed by any further commands you need to get to your required result.

Hope that helps ...

cheers, MuS

Reply
Solved! Jump to solution

eyaluodba
Path Finder
‎05-23-2017 01:21 PM

Thank you!

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎05-23-2017 01:05 PM

You can join searches many ways but almost all of them are subjected to the 50Kish event limit so beware this:

index=_internal source=*web_access.log* /app/ action=edit 
| rex "/app/(?<app_name>.\w+)/(?<dashboard_name>.\w+)" 
| table dashboard_name, _time, app_name, user 
| append 
[ search index=_audit action=search info=granted search=* NOT "search_id='scheduler" NOT "search='|history" NOT "user=splunk-system-user" NOT "search='typeahead" NOT "search='| metadata type=* | search totalCount>0" 
| rex field=search "index=(?P<search_index>[^ ]+)" 
| stats count by search_index 
| sort - count 
| table search_index user]
0 Karma
Reply
Solved! Jump to solution

eyaluodba
Path Finder
‎05-23-2017 01:15 PM

Thank you !

0 Karma
Reply
Get Updates on the Splunk Community!

Tech Talk | One Log to Rule Them All

One log to rule them all: how you can centralize your troubleshooting with Splunk logs We know how important ...

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Join Principal Threat Researcher, Michael Haag, as he walks through:An introduction to the Splunk Threat ...

Splunk Life | Happy Pride Month!

Happy Pride Month, Splunk Community! &#x1f308; In the United States, as well as many countries around the ...