Splunk Search

How to get data from two or more data models in Splunk through a search?

gitanjali
Explorer

Hi,

Can anyone tell how I can get data from two or more data models in Splunk through a Splunk search?
Like I want to merge Vulnerabilities.signature, Malware.signature, and Intrusion_Detection.signature all in one column i.e. getting data from 3 different data models.

I tried using multisearch, pivots, and join, but nothing seems to work. I am trying to get a D3 partition layout on my dashboard and for that I need to have all sorts of signature values from different data models (Vulnerabilities, Malware, Intrusion_Detection) in just one column to plot that chart.

Please tell me how I can get that.

Thanks

Tags (2)
0 Karma
1 Solution

somesoni2
Revered Legend

You can fetch data from multiple data models like this (below will append the resultset of one data model with other, like append)

| multisearch [| datamodel internal_audit_logs Audit search  ] [| datamodel internal_server scheduler search ] | rest of the search

View solution in original post

gitanjali
Explorer

So to get the combined results from various datamodels, I used search command. But for this command to work, you need to keep the names of the resulting fields for all the subsearches to be same.

Syntax:

<serach> | append [<subsearch>]

eg :- Here I appended data from 3 datamodels and have renamed the resulting field for all subsearches as

| tstats summariesonly=true count from datamodel=Vulnerabilities by Vulnerabilities.dest|rename Vulnerabilities.dest as dest | append [| tstats summariesonly=true count from datamodel=Malware by Malware_Attacks.dest|rename Malware_Attacks.dest as dest] | append [| tstats summariesonly=true count from datamodel=Intrusion_Detection by IDS_Attacks.dest|rename IDS_Attacks.dest as dest]
0 Karma

landen99
Motivator

subsearch limitations

0 Karma

somesoni2
Revered Legend

You can just do this as well

| tstats summariesonly=true count from datamodel=Vulnerabilities by Vulnerabilities.dest | append [| tstats summariesonly=true count from datamodel=Malware by Malware_Attacks.dest] | append [| tstats summariesonly=true count from datamodel=Intrusion_Detection by IDS_Attacks.dest ] | eval desk=coalesce('Vulnerabilities.dest', 'Malware_Attacks.dest','IDS_Attacks.dest') | fields - *.dest

gitanjali
Explorer

yeah, it did the job as well.
Thanks again.

0 Karma

somesoni2
Revered Legend

You can fetch data from multiple data models like this (below will append the resultset of one data model with other, like append)

| multisearch [| datamodel internal_audit_logs Audit search  ] [| datamodel internal_server scheduler search ] | rest of the search

gitanjali
Explorer

Thanks, the query worked well.

0 Karma

landen99
Motivator

datamodel does not take advantage of datamodel accelerations

0 Karma

cabauah
Path Finder

does multisearch have limit on the number of records it can combine? i.e 50k like append/subsearch

0 Karma

landen99
Motivator

no limit.

0 Karma
Get Updates on the Splunk Community!

App Building 101 - Build Your First App!

WATCH RECORDING NOW   Tech Talk: App Dev Edition Splunk has tons of out-of-the-box functionality, and you’ve ...

Introducing support for Amazon Data Firehose in Splunk Edge Processor

We’re excited to announce a powerful update to Splunk Data Management with added support for Amazon Data ...

The Observability Round-Up: September 2024

What’s up Splunk Community! Welcome to the latest edition of the Observability Round-Up, a monthly series in ...