Splunk Search

How do I make a couple of indices in one table?

eyaluodba
Path Finder

Is it possible to have two different indices and have results in a single table? The Indices are...

index=_internal source=*web_access.log* /app/  action=edit | rex  "/app/(?<app_name>.\w+)/(?<dashboard_name>.\w+)" | table dashboard_name, _time, app_name, user

and

index=_audit action=search info=granted search=* NOT "search_id='scheduler" NOT "search='|history" NOT "user=splunk-system-user" NOT "search='typeahead" NOT "search='| metadata type=* | search totalCount>0" | rex field=search "index=(?P<search_index>[^ ]+)" | stats count by search_index | sort - count| table search_index user 

Please let me know! Thank you so much.

0 Karma
1 Solution

woodcock
Esteemed Legend

You can join searches many ways but almost all of them are subjected to the 50Kish event limit so beware this:

index=_internal source=*web_access.log* /app/ action=edit 
| rex "/app/(?<app_name>.\w+)/(?<dashboard_name>.\w+)" 
| table dashboard_name, _time, app_name, user 
| append 
[ search index=_audit action=search info=granted search=* NOT "search_id='scheduler" NOT "search='|history" NOT "user=splunk-system-user" NOT "search='typeahead" NOT "search='| metadata type=* | search totalCount>0" 
| rex field=search "index=(?P<search_index>[^ ]+)" 
| stats count by search_index 
| sort - count 
| table search_index user]

View solution in original post

0 Karma

MuS
Legend

Hi eyaluodba,

Sure, read more about the topic in this answer https://answers.splunk.com/answers/129424/how-to-compare-fields-over-multiple-sourcetypes-without-jo... or in the Virtual .conf March 2016 session over here http://wiki.splunk.com/Virtual_.conf

For a start just combine your base searches:

( index=_internal source=*web_access.log* /app/  action=edit ) OR ( index=_audit action=search info=granted search=* NOT "search_id='scheduler" NOT "search='|history" NOT "user=splunk-system-user" NOT "search='typeahead" NOT "search='| metadata type=* | search totalCount>0" ) 

followed by any further commands you need to get to your required result.

Hope that helps ...

cheers, MuS

eyaluodba
Path Finder

Thank you!

0 Karma

woodcock
Esteemed Legend

You can join searches many ways but almost all of them are subjected to the 50Kish event limit so beware this:

index=_internal source=*web_access.log* /app/ action=edit 
| rex "/app/(?<app_name>.\w+)/(?<dashboard_name>.\w+)" 
| table dashboard_name, _time, app_name, user 
| append 
[ search index=_audit action=search info=granted search=* NOT "search_id='scheduler" NOT "search='|history" NOT "user=splunk-system-user" NOT "search='typeahead" NOT "search='| metadata type=* | search totalCount>0" 
| rex field=search "index=(?P<search_index>[^ ]+)" 
| stats count by search_index 
| sort - count 
| table search_index user]
0 Karma

eyaluodba
Path Finder

Thank you !

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...