Solved: How to get data from two or more data models in Sp...

gitanjali · ‎02-02-2016

Hi,

Can anyone tell how I can get data from two or more data models in Splunk through a Splunk search?
Like I want to merge Vulnerabilities.signature, Malware.signature, and Intrusion_Detection.signature all in one column i.e. getting data from 3 different data models.

I tried using multisearch, pivots, and join, but nothing seems to work. I am trying to get a D3 partition layout on my dashboard and for that I need to have all sorts of signature values from different data models (Vulnerabilities, Malware, Intrusion_Detection) in just one column to plot that chart.

Please tell me how I can get that.

Thanks

somesoni2 · ‎02-02-2016

You can fetch data from multiple data models like this (below will append the resultset of one data model with other, like append)

| multisearch [| datamodel internal_audit_logs Audit search  ] [| datamodel internal_server scheduler search ] | rest of the search

View solution in original post

gitanjali · ‎02-10-2016

So to get the combined results from various datamodels, I used search command. But for this command to work, you need to keep the names of the resulting fields for all the subsearches to be same.

Syntax:

<serach> | append [<subsearch>]

eg :- Here I appended data from 3 datamodels and have renamed the resulting field for all subsearches as

| tstats summariesonly=true count from datamodel=Vulnerabilities by Vulnerabilities.dest|rename Vulnerabilities.dest as dest | append [| tstats summariesonly=true count from datamodel=Malware by Malware_Attacks.dest|rename Malware_Attacks.dest as dest] | append [| tstats summariesonly=true count from datamodel=Intrusion_Detection by IDS_Attacks.dest|rename IDS_Attacks.dest as dest]

landen99 · ‎12-04-2019

subsearch limitations

somesoni2 · ‎02-10-2016

You can just do this as well

| tstats summariesonly=true count from datamodel=Vulnerabilities by Vulnerabilities.dest | append [| tstats summariesonly=true count from datamodel=Malware by Malware_Attacks.dest] | append [| tstats summariesonly=true count from datamodel=Intrusion_Detection by IDS_Attacks.dest ] | eval desk=coalesce('Vulnerabilities.dest', 'Malware_Attacks.dest','IDS_Attacks.dest') | fields - *.dest

gitanjali · ‎02-10-2016

yeah, it did the job as well.
Thanks again.

somesoni2 · ‎02-02-2016

You can fetch data from multiple data models like this (below will append the resultset of one data model with other, like append)

| multisearch [| datamodel internal_audit_logs Audit search  ] [| datamodel internal_server scheduler search ] | rest of the search

gitanjali · ‎02-10-2016

Thanks, the query worked well.

landen99 · ‎12-04-2019

datamodel does not take advantage of datamodel accelerations

cabauah · ‎03-27-2019

does multisearch have limit on the number of records it can combine? i.e 50k like append/subsearch

landen99 · ‎12-04-2019

no limit.

How to get data from two or more data models in Splunk through a search?

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)