Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How do you pull and match data?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How do you pull and match data?
Hey,
So the data I am pulling from is from two source types. I indexed bigfix and tried to pull the software information(vendor), and I pulled from bigfix asset to get the (device type). I'm trying to create a dashboard of the installed software by device type.
When I enter this: index=bigfix sourcetype=bigfix:software:inventory | table vendor| join [search index=* sourcetype=bigfix:asset|table computer_type ]| stats count by vendor,computer_type
The computer type doesn't output correctly.
When I enter...
index=bigfix (sourcetype="bigfix:software:inventory" OR sourcetype="bigfix:asset") | stats count(product) by computer_type
...it shows the computer type correctly, but the vendor count is 0.
Maybe because the events, and fields, don't match from both source types. If it's possible to make it work. I would appreciate the help.
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Moving comment to answer...
If they have any fields that have common values, for e.g.
comp_id has same value as identifying_number you could join them based on that field.
index=bigfix sourcetype=bigfix:software:inventory
| table comp_id vendor
| join comp_id
[ search index=bigfix sourcetype=bigfix:asset
| rename identifying_number as comp_id
| table comp_id computer_type ]
| stats count by comp_id vendor computer_type
In essence, if you have a way of connecting a unique computer identifier to a specific event in software inventory then this would be possible to do.
Additionally if you do not have an exact 1-1 identifier but have a snippet of an identifier in a field e.g
computer_id=LNWMP-0012341
identifying_nubmer=0012341
You could extract the number from the ID with the rex command.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do these sourcetypes have fields that are common between them?
Please share an example event from each
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No they don't have any fields in common.
Bigfix:software:inventory
root_host="-----",comp_id="---",vendor="Google Inc.",product="Google Chrome",version="73.0",valid_from="2019-04-------",used_dt="None",updated_dt="2019-04-----",deleted="False",cpe="cpe:/a:google_inc.:google_chrome:73.0",last_scan_time="Fri, 29 Mar 00000"
Bigfix:asset
computer_type="", mac address"", identifying_number"---",computer_name="", ip_address"", disk drive""
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If they have any fields that have common values, for e.g.
comp_id has same value as identifying_number you could join them based on that field.
index=bigfix sourcetype=bigfix:software:inventory
| table comp_id vendor
| join comp_id
[ search index=bigfix sourcetype=bigfix:asset
| rename identifying_number as comp_id
| table comp_id computer_type ]
| stats count by comp_id vendor computer_type
Basically, if you have a way of connecting a unique computer identifier to a specific event in software inventory then this would be possible to do.
Splunk MCP & Agentic AI: Machine Data Without Limits
Finding Based Detections General Availability
Get Your Hands Dirty (and Your Shoes Comfy): The Splunk Experience
