Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to combine two search result with different fields in single dashboard?

navb
Loves-to-Learn
‎06-24-2022 11:08 AM

Hello,

I have logs in two index,

 

Index=flow_log

Fields required,

src_ip, src_port, dest_ip, dest_port, network interface

 

Index=config

src_ip, network interface, security group ID , security group name

 

In both the index src_ip and network interface information are common, I wanted to make a dashboard with these index and below fields. how do I combine these different fields  in one dashboard.

network interface src_ip  src_port  dest_ip  dest_port security group id  security group name.

Please help.

 

 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-24-2022 11:58 AM

Search both indexes then use the stats command to group the results by the common fields.

 

index=flow_log OR index=config
| stats values(*) as * by network_interface src_ip
| table network_interface src_ip src_port dest_ip dest_port security_group_id  security_group_name

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

navb
Loves-to-Learn
‎06-24-2022 12:20 PM

Hello richgalloway,

Thanks you for your quick response!

I am getting below result in table,

network_interface src_ip src_port dest_ip dest_port

 
Below fields are blank, these fields are only available in config index.

security_group_id  security_group_name

  

Tags (1)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-24-2022 01:07 PM

Double-check the field names.  I took the liberty of replacing spaces in the OP with underscores, but if the real field names are different then the query will have to be updated to match reality.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

navb
Loves-to-Learn
‎06-24-2022 01:10 PM

The field names are correct but while table the result it come blank.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-24-2022 05:45 PM

If the fields are empty then there is no value for that src_ip/network_interface pair in the config index.

If you sort on the security_group_name and/or security_group_id fields do you see any values?  If you do then check the src_ip and network_interface values to make sure the same values are present in both indexes.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI! Discover how Splunk’s agentic AI ...

[Puzzles] Solve, Learn, Repeat: Dereferencing XML to Fixed-length events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...