Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to Multiple Source Type Search?

coldwolf2000
Explorer
‎05-23-2022 12:21 PM

Hello,

 

I need some help. I am new to Splunk and have run into an issue. I want to have table that will display Computer Name, Physical Address, Device Type, IP Adress, and what version of Office thy Have (2013 or 365). The data is under one index but 3 different source types.  

Index=Desktops

SourceType 1= AssetInfo - It has lots of fields but the 3 I care about is PysAddress, DevType, ComputerName 

SourceType 2 = Network - It has many fields but the only tw I want, and they are called IPAddress, Computer

SourceType 3 = Software -  It has 3 fields, I care about all 3, which are Compuetr, SoftwareName, Software Verison.

I want to pull info from all 3 source types and make one table. the common filed is computer name. The first issue is that in SourceType 1 the field is called ComputerName and the other 2 sourcetypes it is Computer. I know I could do a rename command on the sourcetype 1 if I had to. I have tried the OR Boolaen, Multisearch command, Union command and Join but I can never seem to get it to work right, the table gets created but the info it pulls he IP and creates one line then a seperate line for software. they are never ont eh same line. the next issue is that I need to filter on software that contains Microsoft office 2013 or Office 365. 

Any Ideas would be welcomed

Labels (3)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎05-23-2022 01:34 PM

The simplest solution would be to do something like that:

1) select events from all your relevant sourcetypes

sourcetype=s1 OR sourcetype=s2 OR sourcetype=s3

2) Since in two types of events you have a field named Computer and in one you have ComputerName, you have to normalize the ComputerName field to be consistent with the rest of the events

| rename ComputerName AS Computer

In a more complicated case you could be needing a conditional evaluation instead of a simple rename but here luckily we don't have any field name clashes

3) Do a summary of all your fields

| stats values(*) by Computer

 

This is a simplest approach. It has one caveat though, you'll simply get multivalued fields with lists of encountered values which may cause inconsistencies between various fields.

0 Karma
Reply

coldwolf2000
Explorer
‎05-24-2022 04:25 AM

What if there is a field conflict I just pulled up all the field under the Asset sourcetype and there is a Computer field and it has server info in it. So how would I do a eval statement, or would it be better to rename the other 2 computer fields to ComputerName

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎05-24-2022 04:42 AM

As a "conflict" I meant the hypotetical situation that you had, for example fields which would overlap after such rewrite or sourcetypes which had the field but you wouldn't want to touch them and so on.

If you had, for example, a sourcetype A for which you had both ComputerName and Computer fields. If you did any modification - either rewrite ComputerName to Computer or Computer to ComputerName, you'd lose the original information. So you'd need your eval to skip this particular sourcetype when rewriting the fields - define it conditionally. Something like:

| eval ComputerName=if(sourcetype="A",ComputerName,Computer)

This would overwrite ComputerName field with Computer value only for the sourcetypes other than "A".

Reply

richgalloway
SplunkTrust
SplunkTrust
‎05-23-2022 01:34 PM

See if this helps.

index=Desktops sourcetype IN (AssetInfo Network Software )
| fields PysAddress, DevType, ComputerName, IPAddress, Computer, SoftwareName, Software_Version
```Normalize the computerName field```
| eval computerName=coalesce(ComputerName, Computer)
```Group the results by computerName```
| stats values(*) as * by computerName

Once you have a list of software names and versions, it'll be easy to add a where command to filter the ones of interest.

---
If this reply helps you, Karma would be appreciated.
Reply

coldwolf2000
Explorer
‎05-24-2022 05:02 AM

So I like the code, but I when I run it the same issue, the IP address is not showing on the same line as the software. it creates a whole new row

0 Karma
Reply
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...