Solved: How do I return a field(s) from a specific index, ...

mmercola · ‎01-09-2019

index=security sourcetype=*symantec* OR (sourcetyoe=WinHostMon (Path="*malwarebytes*")) | fillnull value="" | table Host_Name,host |dedup Host_Name,host |sort Host_Name

I want a column showing the Host_Name from the symantec source type and a column showing the host field from the Malwarebytes (WinHostMon sourcetype).

Currently, I'm getting the Host_Name field correctly, but the host field is coming from symantec sourcetype

like below
Host_Name host
1 WKST-1315 sep
2 WKST-1316 sep
3 WKST-1317 sep
4 WKST-1227 sep
5 WKST-1295 sep

Vijeta · ‎01-09-2019

Try something like below

index=security sourcetype=symantec OR (sourcetyoe=WinHostMon (Path="malwarebytes")) | fillnull value="" | eval Host_table Host_Name,host |dedup Host_Name,host |eval host1 = if(sourcetype=WinHostMon,host,"")| stats values(host1) as host by hostname

View solution in original post

Vijeta · ‎01-09-2019

Try something like below

index=security sourcetype=symantec OR (sourcetyoe=WinHostMon (Path="malwarebytes")) | fillnull value="" | eval Host_table Host_Name,host |dedup Host_Name,host |eval host1 = if(sourcetype=WinHostMon,host,"")| stats values(host1) as host by hostname

How do I return a field(s) from a specific index, where the query has multiple search indexes?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation