Splunk Search

How to get data from two or more data models in Splunk through a search?

gitanjali
Explorer

Hi,

Can anyone tell how I can get data from two or more data models in Splunk through a Splunk search?
Like I want to merge Vulnerabilities.signature, Malware.signature, and Intrusion_Detection.signature all in one column i.e. getting data from 3 different data models.

I tried using multisearch, pivots, and join, but nothing seems to work. I am trying to get a D3 partition layout on my dashboard and for that I need to have all sorts of signature values from different data models (Vulnerabilities, Malware, Intrusion_Detection) in just one column to plot that chart.

Please tell me how I can get that.

Thanks

Tags (2)
0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

You can fetch data from multiple data models like this (below will append the resultset of one data model with other, like append)

| multisearch [| datamodel internal_audit_logs Audit search  ] [| datamodel internal_server scheduler search ] | rest of the search

View solution in original post

gitanjali
Explorer

So to get the combined results from various datamodels, I used search command. But for this command to work, you need to keep the names of the resulting fields for all the subsearches to be same.

Syntax:

<serach> | append [<subsearch>]

eg :- Here I appended data from 3 datamodels and have renamed the resulting field for all subsearches as

| tstats summariesonly=true count from datamodel=Vulnerabilities by Vulnerabilities.dest|rename Vulnerabilities.dest as dest | append [| tstats summariesonly=true count from datamodel=Malware by Malware_Attacks.dest|rename Malware_Attacks.dest as dest] | append [| tstats summariesonly=true count from datamodel=Intrusion_Detection by IDS_Attacks.dest|rename IDS_Attacks.dest as dest]
0 Karma

landen99
Motivator

subsearch limitations

0 Karma

somesoni2
SplunkTrust
SplunkTrust

You can just do this as well

| tstats summariesonly=true count from datamodel=Vulnerabilities by Vulnerabilities.dest | append [| tstats summariesonly=true count from datamodel=Malware by Malware_Attacks.dest] | append [| tstats summariesonly=true count from datamodel=Intrusion_Detection by IDS_Attacks.dest ] | eval desk=coalesce('Vulnerabilities.dest', 'Malware_Attacks.dest','IDS_Attacks.dest') | fields - *.dest

gitanjali
Explorer

yeah, it did the job as well.
Thanks again.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

You can fetch data from multiple data models like this (below will append the resultset of one data model with other, like append)

| multisearch [| datamodel internal_audit_logs Audit search  ] [| datamodel internal_server scheduler search ] | rest of the search

gitanjali
Explorer

Thanks, the query worked well.

0 Karma

landen99
Motivator

datamodel does not take advantage of datamodel accelerations

0 Karma

cabauah
Path Finder

does multisearch have limit on the number of records it can combine? i.e 50k like append/subsearch

0 Karma

landen99
Motivator

no limit.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...