Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to combine two search result with different fields in single dashboard?

navb
Loves-to-Learn
‎06-24-2022 11:08 AM

Hello,

I have logs in two index,

 

Index=flow_log

Fields required,

src_ip, src_port, dest_ip, dest_port, network interface

 

Index=config

src_ip, network interface, security group ID , security group name

 

In both the index src_ip and network interface information are common, I wanted to make a dashboard with these index and below fields. how do I combine these different fields  in one dashboard.

network interface src_ip  src_port  dest_ip  dest_port security group id  security group name.

Please help.

 

 

Labels (1)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-24-2022 11:58 AM

Search both indexes then use the stats command to group the results by the common fields.

 

index=flow_log OR index=config
| stats values(*) as * by network_interface src_ip
| table network_interface src_ip src_port dest_ip dest_port security_group_id  security_group_name

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

navb
Loves-to-Learn
‎06-24-2022 12:20 PM

Hello richgalloway,

Thanks you for your quick response!

I am getting below result in table,

network_interface src_ip src_port dest_ip dest_port

 
Below fields are blank, these fields are only available in config index.

security_group_id  security_group_name

  

Tags (1)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-24-2022 01:07 PM

Double-check the field names.  I took the liberty of replacing spaces in the OP with underscores, but if the real field names are different then the query will have to be updated to match reality.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

navb
Loves-to-Learn
‎06-24-2022 01:10 PM

The field names are correct but while table the result it come blank.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-24-2022 05:45 PM

If the fields are empty then there is no value for that src_ip/network_interface pair in the config index.

If you sort on the security_group_name and/or security_group_id fields do you see any values?  If you do then check the src_ip and network_interface values to make sure the same values are present in both indexes.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...