Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to group by multiple fields?

erikschubert
Engager
‎01-30-2023 08:28 AM

Hi everyone,

I'm kinda new to splunk.

I have two indizes:

  1. Stores events (relevant fields: hostname, destPort)

      2. Stores information about infrastructure (relevant fields: host, os)

I need to show which Ports are used by which os.

From the first index I need to know which host is using which ports.

From the second index I want to know which host is using which os. I then want to see, which OS uses which ports. To make it even more difficult, the host is called hostname in index 1 and host in index 2.

I basically have to group by hostname and then by OS.

How can i achieve this? What concepts can I use?

I have two working searches for step 1 and step2, I just dont know how to "join" them together.

Any help is greatly appreciated, thanks.

Labels (3)
Labels
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎01-30-2023 03:34 PM

Avoid join in Splunk where possible - it has limitations and is not really the Splunk way to do things, as joining can easily be done with stats

search <dataset_1> OR <dataset_2>
| eval host=if(index=dataset_1, hostname, host)
| stats values(destPort) as ports values(os) as os by host
| stats values(ports) as ports by os

Assuming that there is only 1 os per host, then the first stats will give all the ports for the host along with its os and then the second stats will give all the ports by os.

 

0 Karma
Reply

tej57
Builder
‎01-30-2023 08:46 AM

Hello @erikschubert ,

You can try below search:

index=events
| fields hostname,destPort
| rename hostname as host
| join type=outer host
    [| search index=infrastructure
     | fields os]
| table host destPort os
0 Karma
Reply

erikschubert
Engager
‎01-30-2023 09:02 AM
@tej57 wrote:

Hello @erikschubert ,

You can try below search:

 

index=events
| fields hostname,destPort
| rename hostname as host
| join type=outer host
    [| search index=infrastructure
     | fields os]
| table host destPort os

 

Hi,

this displays which host is using which Port, but the column OS stays empty 😞

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...