Splunk Search

How to Multiple Source Type Search?

coldwolf2000
Explorer

Hello,

 

I need some help. I am new to Splunk and have run into an issue. I want to have table that will display Computer Name, Physical Address, Device Type, IP Adress, and what version of Office thy Have (2013 or 365). The data is under one index but 3 different source types.  

Index=Desktops

SourceType 1= AssetInfo - It has lots of fields but the 3 I care about is PysAddress, DevType, ComputerName 

SourceType 2 = Network - It has many fields but the only tw I want, and they are called IPAddress, Computer

SourceType 3 = Software -  It has 3 fields, I care about all 3, which are Compuetr, SoftwareName, Software Verison.

I want to pull info from all 3 source types and make one table. the common filed is computer name. The first issue is that in SourceType 1 the field is called ComputerName and the other 2 sourcetypes it is Computer. I know I could do a rename command on the sourcetype 1 if I had to. I have tried the OR Boolaen, Multisearch command, Union command and Join but I can never seem to get it to work right, the table gets created but the info it pulls he IP and creates one line then a seperate line for software. they are never ont eh same line. the next issue is that I need to filter on software that contains Microsoft office 2013 or Office 365. 

Any Ideas would be welcomed

Labels (3)
0 Karma

PickleRick
SplunkTrust
SplunkTrust

The simplest solution would be to do something like that:

1) select events from all your relevant sourcetypes

sourcetype=s1 OR sourcetype=s2 OR sourcetype=s3

2) Since in two types of events you have a field named Computer and in one you have ComputerName, you have to normalize the ComputerName field to be consistent with the rest of the events

| rename ComputerName AS Computer

In a more complicated case you could be needing a conditional evaluation instead of a simple rename but here luckily we don't have any field name clashes

3) Do a summary of all your fields

| stats values(*) by Computer

 

This is a simplest approach. It has one caveat though, you'll simply get multivalued fields with lists of encountered values which may cause inconsistencies between various fields.

0 Karma

coldwolf2000
Explorer

What if there is a field conflict I just pulled up all the field under the Asset sourcetype and there is a Computer field and it has server info in it. So how would I do a eval statement, or would it be better to rename the other 2 computer fields to ComputerName

0 Karma

PickleRick
SplunkTrust
SplunkTrust

As a "conflict" I meant the hypotetical situation that you had, for example fields which would overlap after such rewrite or sourcetypes which had the field but you wouldn't want to touch them and so on.

If you had, for example, a sourcetype A for which you had both ComputerName and Computer fields. If you did any modification - either rewrite ComputerName to Computer or Computer to ComputerName, you'd lose the original information. So you'd need your eval to skip this particular sourcetype when rewriting the fields - define it conditionally. Something like:

| eval ComputerName=if(sourcetype="A",ComputerName,Computer)

This would overwrite ComputerName field with Computer value only for the sourcetypes other than "A".

richgalloway
SplunkTrust
SplunkTrust

See if this helps.

index=Desktops sourcetype IN (AssetInfo Network Software )
| fields PysAddress, DevType, ComputerName, IPAddress, Computer, SoftwareName, Software_Version
```Normalize the computerName field```
| eval computerName=coalesce(ComputerName, Computer)
```Group the results by computerName```
| stats values(*) as * by computerName

Once you have a list of software names and versions, it'll be easy to add a where command to filter the ones of interest.

---
If this reply helps you, Karma would be appreciated.

coldwolf2000
Explorer

So I like the code, but I when I run it the same issue, the IP address is not showing on the same line as the software. it creates a whole new row

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...