Splunk Search

How to combine values from fields in different indexes using it to sort?

FGAnders
Explorer

Hi,

I'm trying to combine values from two different fields in two different indexes. But it seems to come up blank. Is there any other options like join to combine it and sort it after the combined values?

| multisearch
[search index=ABC UserID=* CheckEvent Alias=* ]
[search index=CDE UserID=* classifications=SuperUser AliasTest=true ]
| eval Combi = AliasTest." - ".Alias
| stats values(UserID) as UserID, list(Combi) as Combined, list(AliasTest) as AliasTest ,list(classifications) as classifications, list(Alias) as Alias, dc(UserID) as users by Combi

It works if I combine fields from same index, but not if I try and combine fields values from ABC and CDE indexes. 


Thank you,

Labels (3)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Perhaps not strictly true, but it depends on your data.

For example, is you wanted to combine the first event from the first search with the first event from the second search, and the second event from the first search with the second event from the second search, and so on, you could use the appendcols command. This takes no account of the values in the events but may be this is good enough for your usecase?

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust

Your issue is not so much the multisearch - you can avoid this by using:

(index=ABC UserID=* CheckEvent Alias=*) OR (index=CDE UserID=* classifications=SuperUser AliasTest=true)

The issue is that you (apparently) have events in the pipeline that you want to combine. In order to do this, you would need a field in the events from one index which matches values in a field from events in the other index. So, unless AliasTest and Alias appear in events from both indexes, and therefore Combi is valid for events in both indexes, the stats (or a join) will not be able to combine the values by Combi.

FGAnders
Explorer

Hi,

 

Thank you for the fast reply.

Seems like its not possible then if the fields and values are unique in both events in the indexes.

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Perhaps not strictly true, but it depends on your data.

For example, is you wanted to combine the first event from the first search with the first event from the second search, and the second event from the first search with the second event from the second search, and so on, you could use the appendcols command. This takes no account of the values in the events but may be this is good enough for your usecase?

FGAnders
Explorer

Thank you very much for the help.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...