I need some help. I am new to Splunk and have run into an issue. I want to have table that will display Computer Name, Physical Address, Device Type, IP Adress, and what version of Office thy Have (2013 or 365). The data is under one index but 3 different source types.
SourceType 1= AssetInfo - It has lots of fields but the 3 I care about is PysAddress, DevType, ComputerName
SourceType 2 = Network - It has many fields but the only tw I want, and they are called IPAddress, Computer
SourceType 3 = Software - It has 3 fields, I care about all 3, which are Compuetr, SoftwareName, Software Verison.
I want to pull info from all 3 source types and make one table. the common filed is computer name. The first issue is that in SourceType 1 the field is called ComputerName and the other 2 sourcetypes it is Computer. I know I could do a rename command on the sourcetype 1 if I had to. I have tried the OR Boolaen, Multisearch command, Union command and Join but I can never seem to get it to work right, the table gets created but the info it pulls he IP and creates one line then a seperate line for software. they are never ont eh same line. the next issue is that I need to filter on software that contains Microsoft office 2013 or Office 365.
Any Ideas would be welcomed
The simplest solution would be to do something like that:
1) select events from all your relevant sourcetypes
sourcetype=s1 OR sourcetype=s2 OR sourcetype=s3
2) Since in two types of events you have a field named Computer and in one you have ComputerName, you have to normalize the ComputerName field to be consistent with the rest of the events
| rename ComputerName AS Computer
In a more complicated case you could be needing a conditional evaluation instead of a simple rename but here luckily we don't have any field name clashes
3) Do a summary of all your fields
| stats values(*) by Computer
This is a simplest approach. It has one caveat though, you'll simply get multivalued fields with lists of encountered values which may cause inconsistencies between various fields.
What if there is a field conflict I just pulled up all the field under the Asset sourcetype and there is a Computer field and it has server info in it. So how would I do a eval statement, or would it be better to rename the other 2 computer fields to ComputerName
As a "conflict" I meant the hypotetical situation that you had, for example fields which would overlap after such rewrite or sourcetypes which had the field but you wouldn't want to touch them and so on.
If you had, for example, a sourcetype A for which you had both ComputerName and Computer fields. If you did any modification - either rewrite ComputerName to Computer or Computer to ComputerName, you'd lose the original information. So you'd need your eval to skip this particular sourcetype when rewriting the fields - define it conditionally. Something like:
| eval ComputerName=if(sourcetype="A",ComputerName,Computer)
This would overwrite ComputerName field with Computer value only for the sourcetypes other than "A".
See if this helps.
index=Desktops sourcetype IN (AssetInfo Network Software ) | fields PysAddress, DevType, ComputerName, IPAddress, Computer, SoftwareName, Software_Version ```Normalize the computerName field``` | eval computerName=coalesce(ComputerName, Computer) ```Group the results by computerName``` | stats values(*) as * by computerName
Once you have a list of software names and versions, it'll be easy to add a where command to filter the ones of interest.