I have three devices, each with its own sourcetype. I am trying to combine the fields src with src_ip and dst with dest_ip into new table fields called Source IP and Destination IP from the results of the search below:
blocked OR deny | search src="$IP$" OR src_ip="$IP$" | table _time, eventtype, sourcetype, Source IP, Destination IP
I've been unable to locate how to do this in the Splunk docs, and none of the questions on this site easily explain how this accomplished. Most of the answers just provide code to the person asking without much explanation of what they are doing. I'd like to know how the concept works, not just some code I can copy/paste. My searches will be done over several time frames, so performance is very important as this search will be used to regularly troubleshoot connection issues with the devices.
Once I get the search above to display results correctly, I'd like to take the results of the string below and do the same thing:
blocked OR deny [search sourcetype=pan:traffic | where user="mydomain\\$userName$" | rename src_ip AS src | fields src] | table _time, eventtype, sourcetype, Source IP, Destination IP, dest_port, url, application, category, src_zone, dest_zone, policy_id, action
Thank you in advance 🙂
I think you may want to read up on Splunk Common Information Model. That will allow you to normalize the fields across multiple sources, such that src_ip will be src_ip (or whatever you map it to) across all sourcetypes making it much easier in your searches to find the right information.
http://docs.splunk.com/Documentation/CIM/4.5.0/User/Overview
In the meantime, you could use the coalesce
command. Something like this eval src=coalesce(src, src_ip)
What this does is, the src
is populated with the non-null value from src
and src_ip
. So if one event has value in src_ip, that that value is used in field called src
So your first search will look something like this
blocked OR deny | search src="$IP$" OR src_ip="$IP$" | eval "Source IP" = coalesce(src, src_ip) | eval "Destination IP"=coalesce(dst, dest_ip) | table _time, eventtype, sourcetype, "Source IP", "Destination IP"
Hope this helps. Let me know if you need further clarifications/assitance.