Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to combine common fields from search results into one column?

daishih
Path Finder
‎07-18-2016 10:03 AM

I have three devices, each with its own sourcetype. I am trying to combine the fields src with src_ip and dst with dest_ip into new table fields called Source IP and Destination IP from the results of the search below:

blocked OR deny | search src="$IP$" OR src_ip="$IP$" | table _time, eventtype, sourcetype, Source IP, Destination IP

I've been unable to locate how to do this in the Splunk docs, and none of the questions on this site easily explain how this accomplished. Most of the answers just provide code to the person asking without much explanation of what they are doing. I'd like to know how the concept works, not just some code I can copy/paste. My searches will be done over several time frames, so performance is very important as this search will be used to regularly troubleshoot connection issues with the devices.

Once I get the search above to display results correctly, I'd like to take the results of the string below and do the same thing:

blocked OR deny [search sourcetype=pan:traffic | where user="mydomain\\$userName$" | rename src_ip AS src | fields src]  | table _time, eventtype, sourcetype, Source IP, Destination IP, dest_port, url, application, category, src_zone, dest_zone, policy_id, action

Thank you in advance 🙂

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sundareshr
Legend
‎07-18-2016 10:46 AM

I think you may want to read up on Splunk Common Information Model. That will allow you to normalize the fields across multiple sources, such that src_ip will be src_ip (or whatever you map it to) across all sourcetypes making it much easier in your searches to find the right information.

http://docs.splunk.com/Documentation/CIM/4.5.0/User/Overview

In the meantime, you could use the coalesce command. Something like this eval src=coalesce(src, src_ip) What this does is, the src is populated with the non-null value from src and src_ip. So if one event has value in src_ip, that that value is used in field called src So your first search will look something like this

blocked OR deny | search src="$IP$" OR src_ip="$IP$" | eval "Source IP" = coalesce(src, src_ip) | eval "Destination IP"=coalesce(dst, dest_ip) | table _time, eventtype, sourcetype, "Source IP", "Destination IP"

Hope this helps. Let me know if you need further clarifications/assitance.

View solution in original post

Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...