Splunk Search

How to get data from two or more data models in Splunk through a search?

gitanjali
Explorer

Hi,

Can anyone tell how I can get data from two or more data models in Splunk through a Splunk search?
Like I want to merge Vulnerabilities.signature, Malware.signature, and Intrusion_Detection.signature all in one column i.e. getting data from 3 different data models.

I tried using multisearch, pivots, and join, but nothing seems to work. I am trying to get a D3 partition layout on my dashboard and for that I need to have all sorts of signature values from different data models (Vulnerabilities, Malware, Intrusion_Detection) in just one column to plot that chart.

Please tell me how I can get that.

Thanks

Tags (2)
0 Karma
1 Solution

somesoni2
Revered Legend

You can fetch data from multiple data models like this (below will append the resultset of one data model with other, like append)

| multisearch [| datamodel internal_audit_logs Audit search  ] [| datamodel internal_server scheduler search ] | rest of the search

View solution in original post

gitanjali
Explorer

So to get the combined results from various datamodels, I used search command. But for this command to work, you need to keep the names of the resulting fields for all the subsearches to be same.

Syntax:

<serach> | append [<subsearch>]

eg :- Here I appended data from 3 datamodels and have renamed the resulting field for all subsearches as

| tstats summariesonly=true count from datamodel=Vulnerabilities by Vulnerabilities.dest|rename Vulnerabilities.dest as dest | append [| tstats summariesonly=true count from datamodel=Malware by Malware_Attacks.dest|rename Malware_Attacks.dest as dest] | append [| tstats summariesonly=true count from datamodel=Intrusion_Detection by IDS_Attacks.dest|rename IDS_Attacks.dest as dest]
0 Karma

landen99
Motivator

subsearch limitations

0 Karma

somesoni2
Revered Legend

You can just do this as well

| tstats summariesonly=true count from datamodel=Vulnerabilities by Vulnerabilities.dest | append [| tstats summariesonly=true count from datamodel=Malware by Malware_Attacks.dest] | append [| tstats summariesonly=true count from datamodel=Intrusion_Detection by IDS_Attacks.dest ] | eval desk=coalesce('Vulnerabilities.dest', 'Malware_Attacks.dest','IDS_Attacks.dest') | fields - *.dest

gitanjali
Explorer

yeah, it did the job as well.
Thanks again.

0 Karma

somesoni2
Revered Legend

You can fetch data from multiple data models like this (below will append the resultset of one data model with other, like append)

| multisearch [| datamodel internal_audit_logs Audit search  ] [| datamodel internal_server scheduler search ] | rest of the search

gitanjali
Explorer

Thanks, the query worked well.

0 Karma

landen99
Motivator

datamodel does not take advantage of datamodel accelerations

0 Karma

cabauah
Path Finder

does multisearch have limit on the number of records it can combine? i.e 50k like append/subsearch

0 Karma

landen99
Motivator

no limit.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...