Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to populate column in results using two indexes?

splunker1981
Path Finder
‎03-11-2019 08:52 AM

Hello all -

Trying to figure out how to return the table below when using two index/sourcetypes. I'd like to do some eval by index and then check whether the respective index has an event so I can add yes | no to the respective column. The common field would be IP and either the IP will have both or one or the other defined. 

indexA
ip=1.1.1.1 app-id=3.09
ip=3.3.3.3 app-id=2.11

indexB
ip=1.1.1.1 rel=release39
ip=2.2.2.2 rel=release12

Desired Results
IP        Release    App-id
1.1.1.1   yes           yes
2.2.2.2   yes          no
3.3.3.3   no            yes
Tags (2)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-11-2019 09:13 AM

Hi splunker1981,
if you want to list all the IPs where there's at least Release=yes or App-id=yes, try something like this:

index=indexA OR index=indexB
| stats dc(rel) AS rel dc(app-id) AS app-id BY ip
| eval Release=if(rel>0,"yes","not"), App-id=if(app-id>0,"yes","not")
| rename ip AS IP
| table IP Release App-id

If you could have also both Release=not and App-id=not, you have to try something like this

index=indexA OR index=indexB
| stats dc(rel) AS rel dc(app-id) AS app-id BY ip
| eval Release=if(rel>0,"yes","not"), App-id=if(app-id>0,"yes","not")
| append [  search index=indexA NOT app-id=* | eval App-id="not" | fields ip App-id]
| append [  search index=indexB NOT rel=* | eval Release="not" | fields ip Release ]
| stats values(Release) AS Release values(App-id) AS App-id BY ip
| rename ip AS IP
| table IP Release App-id

Bye.
Giuseppe

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-31-2019 05:52 AM

Hi splunker1981,
if you're satisfied by this answer, please accept and/or upvote it.

Bye, see next time.
Giuseppe

0 Karma
Reply

chrisyounger
SplunkTrust
SplunkTrust
‎03-11-2019 08:58 AM

Does this do what you need?

index=indexA OR index=indexB 
| stats values(rel) as Release values(app-id) as "App-id" by ip
| rename ip as IP
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...