Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to combine two search result with different fields in single dashboard?

navb
Loves-to-Learn
‎06-24-2022 11:08 AM

Hello,

I have logs in two index,

 

Index=flow_log

Fields required,

src_ip, src_port, dest_ip, dest_port, network interface

 

Index=config

src_ip, network interface, security group ID , security group name

 

In both the index src_ip and network interface information are common, I wanted to make a dashboard with these index and below fields. how do I combine these different fields  in one dashboard.

network interface src_ip  src_port  dest_ip  dest_port security group id  security group name.

Please help.

 

 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-24-2022 11:58 AM

Search both indexes then use the stats command to group the results by the common fields.

 

index=flow_log OR index=config
| stats values(*) as * by network_interface src_ip
| table network_interface src_ip src_port dest_ip dest_port security_group_id  security_group_name

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

navb
Loves-to-Learn
‎06-24-2022 12:20 PM

Hello richgalloway,

Thanks you for your quick response!

I am getting below result in table,

network_interface src_ip src_port dest_ip dest_port

 
Below fields are blank, these fields are only available in config index.

security_group_id  security_group_name

  

Tags (1)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-24-2022 01:07 PM

Double-check the field names.  I took the liberty of replacing spaces in the OP with underscores, but if the real field names are different then the query will have to be updated to match reality.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

navb
Loves-to-Learn
‎06-24-2022 01:10 PM

The field names are correct but while table the result it come blank.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-24-2022 05:45 PM

If the fields are empty then there is no value for that src_ip/network_interface pair in the config index.

If you sort on the security_group_name and/or security_group_id fields do you see any values?  If you do then check the src_ip and network_interface values to make sure the same values are present in both indexes.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...