Solved: How do I return a field(s) from a specific index, ...

mmercola · ‎01-09-2019

index=security sourcetype=*symantec* OR (sourcetyoe=WinHostMon (Path="*malwarebytes*")) | fillnull value="" | table Host_Name,host |dedup Host_Name,host |sort Host_Name

I want a column showing the Host_Name from the symantec source type and a column showing the host field from the Malwarebytes (WinHostMon sourcetype).

Currently, I'm getting the Host_Name field correctly, but the host field is coming from symantec sourcetype

like below
Host_Name host
1 WKST-1315 sep
2 WKST-1316 sep
3 WKST-1317 sep
4 WKST-1227 sep
5 WKST-1295 sep

Vijeta · ‎01-09-2019

Try something like below

index=security sourcetype=symantec OR (sourcetyoe=WinHostMon (Path="malwarebytes")) | fillnull value="" | eval Host_table Host_Name,host |dedup Host_Name,host |eval host1 = if(sourcetype=WinHostMon,host,"")| stats values(host1) as host by hostname

View solution in original post

Vijeta · ‎01-09-2019

Try something like below

index=security sourcetype=symantec OR (sourcetyoe=WinHostMon (Path="malwarebytes")) | fillnull value="" | eval Host_table Host_Name,host |dedup Host_Name,host |eval host1 = if(sourcetype=WinHostMon,host,"")| stats values(host1) as host by hostname

How do I return a field(s) from a specific index, where the query has multiple search indexes?

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

A Prelude to .conf25: Your Guide to Splunk University

Are you a member of the Splunk Community?

How do I return a field(s) from a specific index, where the query has multiple search indexes?

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

A Prelude to .conf25: Your Guide to Splunk University