Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do you pull and match data?

laquantat
Engager
‎04-02-2019 09:54 AM

Hey,

So the data I am pulling from is from two source types. I indexed bigfix and tried to pull the software information(vendor), and I pulled from bigfix asset to get the (device type). I'm trying to create a dashboard of the installed software by device type.

When I enter this: index=bigfix sourcetype=bigfix:software:inventory | table vendor| join [search index=* sourcetype=bigfix:asset|table computer_type ]| stats count by vendor,computer_type

The computer type doesn't output correctly.

When I enter...

index=bigfix (sourcetype="bigfix:software:inventory" OR sourcetype="bigfix:asset") | stats count(product) by computer_type

...it shows the computer type correctly, but the vendor count is 0.

Maybe because the events, and fields, don't match from both source types. If it's possible to make it work. I would appreciate the help.

Thanks!

0 Karma
Reply

martinpu
Communicator
‎04-03-2019 11:12 AM

Moving comment to answer...

If they have any fields that have common values, for e.g.
comp_id has same value as identifying_number you could join them based on that field.

 index=bigfix sourcetype=bigfix:software:inventory 
 | table comp_id vendor 
 | join comp_id
     [ search index=bigfix  sourcetype=bigfix:asset 
     | rename identifying_number as comp_id
     | table comp_id computer_type ] 
 | stats count by comp_id vendor computer_type

In essence, if you have a way of connecting a unique computer identifier to a specific event in software inventory then this would be possible to do.

Additionally if you do not have an exact 1-1 identifier but have a snippet of an identifier in a field e.g
computer_id=LNWMP-0012341
identifying_nubmer=0012341
You could extract the number from the ID with the rex command.

0 Karma
Reply

martinpu
Communicator
‎04-02-2019 10:24 AM

Do these sourcetypes have fields that are common between them?

Please share an example event from each

0 Karma
Reply

laquantat
Engager
‎04-02-2019 10:49 AM

No they don't have any fields in common.

Bigfix:software:inventory
root_host="-----",comp_id="---",vendor="Google Inc.",product="Google Chrome",version="73.0",valid_from="2019-04-------",used_dt="None",updated_dt="2019-04-----",deleted="False",cpe="cpe:/a:google_inc.:google_chrome:73.0",last_scan_time="Fri, 29 Mar 00000"

Bigfix:asset
computer_type="", mac address"", identifying_number"---",computer_name="", ip_address"", disk drive""

0 Karma
Reply

martinpu
Communicator
‎04-02-2019 11:20 AM

If they have any fields that have common values, for e.g.
comp_id has same value as identifying_number you could join them based on that field.

index=bigfix sourcetype=bigfix:software:inventory 
| table comp_id vendor 
| join comp_id
    [ search index=bigfix  sourcetype=bigfix:asset 
    | rename identifying_number as comp_id
    | table comp_id computer_type ] 
| stats count by comp_id vendor computer_type

Basically, if you have a way of connecting a unique computer identifier to a specific event in software inventory then this would be possible to do.

Reply
Get Updates on the Splunk Community!

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to ...

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to Officially Supported Splunk ...