Splunk Search

How to Multiple Source Type Search?




I need some help. I am new to Splunk and have run into an issue. I want to have table that will display Computer Name, Physical Address, Device Type, IP Adress, and what version of Office thy Have (2013 or 365). The data is under one index but 3 different source types.  


SourceType 1= AssetInfo - It has lots of fields but the 3 I care about is PysAddress, DevType, ComputerName 

SourceType 2 = Network - It has many fields but the only tw I want, and they are called IPAddress, Computer

SourceType 3 = Software -  It has 3 fields, I care about all 3, which are Compuetr, SoftwareName, Software Verison.

I want to pull info from all 3 source types and make one table. the common filed is computer name. The first issue is that in SourceType 1 the field is called ComputerName and the other 2 sourcetypes it is Computer. I know I could do a rename command on the sourcetype 1 if I had to. I have tried the OR Boolaen, Multisearch command, Union command and Join but I can never seem to get it to work right, the table gets created but the info it pulls he IP and creates one line then a seperate line for software. they are never ont eh same line. the next issue is that I need to filter on software that contains Microsoft office 2013 or Office 365. 

Any Ideas would be welcomed

Labels (3)
0 Karma

Ultra Champion

The simplest solution would be to do something like that:

1) select events from all your relevant sourcetypes

sourcetype=s1 OR sourcetype=s2 OR sourcetype=s3

2) Since in two types of events you have a field named Computer and in one you have ComputerName, you have to normalize the ComputerName field to be consistent with the rest of the events

| rename ComputerName AS Computer

In a more complicated case you could be needing a conditional evaluation instead of a simple rename but here luckily we don't have any field name clashes

3) Do a summary of all your fields

| stats values(*) by Computer


This is a simplest approach. It has one caveat though, you'll simply get multivalued fields with lists of encountered values which may cause inconsistencies between various fields.

0 Karma


What if there is a field conflict I just pulled up all the field under the Asset sourcetype and there is a Computer field and it has server info in it. So how would I do a eval statement, or would it be better to rename the other 2 computer fields to ComputerName

0 Karma

Ultra Champion

As a "conflict" I meant the hypotetical situation that you had, for example fields which would overlap after such rewrite or sourcetypes which had the field but you wouldn't want to touch them and so on.

If you had, for example, a sourcetype A for which you had both ComputerName and Computer fields. If you did any modification - either rewrite ComputerName to Computer or Computer to ComputerName, you'd lose the original information. So you'd need your eval to skip this particular sourcetype when rewriting the fields - define it conditionally. Something like:

| eval ComputerName=if(sourcetype="A",ComputerName,Computer)

This would overwrite ComputerName field with Computer value only for the sourcetypes other than "A".


See if this helps.

index=Desktops sourcetype IN (AssetInfo Network Software )
| fields PysAddress, DevType, ComputerName, IPAddress, Computer, SoftwareName, Software_Version
```Normalize the computerName field```
| eval computerName=coalesce(ComputerName, Computer)
```Group the results by computerName```
| stats values(*) as * by computerName

Once you have a list of software names and versions, it'll be easy to add a where command to filter the ones of interest.

If this reply helps you, Karma would be appreciated.


So I like the code, but I when I run it the same issue, the IP address is not showing on the same line as the software. it creates a whole new row

0 Karma
Get Updates on the Splunk Community!

Welcome to the Future of Data Search & Exploration

You have more data coming at you than ever before. Over the next five years, the total amount of digital data ...

What’s new on Splunk Lantern in August

This month’s Splunk Lantern update gives you the low-down on all of the articles we’ve published over the past ...

This Week's Community Digest - Splunk Community Happenings [8.3.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...