Splunk Search

How to replace values outputted from |stats with values from another search?

DenverGeo
Engager

Hello!

I am attempting to take a variety of values for a single field and essentially use another search from a different index to rename them to a more human readable value. Both indexes do have a field that contains a 1:1 value that I could potentially use |join, however I am having issues with the stats table output where the search is failing to pull up any data or pulling up all data despite searching for a specific value in a field. I have tried |append as well but not getting the results I expect. 

Example:

 

index=index_ mac_address=* logical_vm=* state=online
| stats latest(physical_vm) as server latest(ip_address) as IP latest(logical_vm) as host by mac_address 
| search server=z4c8h2 IP=* host=* name=*
| stats count by server

Output:
mac_address | server | IP | host
xx:xx:xx:xx:xx:xx | z4c8h2 | 10.0.0.0 | vm01.internet.io

index=translate box=z4c8h2
| table human_name

 

The translate index search shows the name that I would like to replace in the index_ search for server, but cant get the stats table to update correctly. 

Any suggestions how to format a join/append or some other method of getting the value to update in the Stats output table?

Labels (2)
Tags (2)
0 Karma
1 Solution

bowesmana
SplunkTrust
SplunkTrust

Sounds like you could use a lookup.

You index that contains the human_name - is that something that could be turned into a lookup, where the values are static - if so, then after your stats you would simply do

...
| lookup server_list.csv server 

where the lookup file contains the server/human_name.

From your naming of the index, it would appear that this data is designed to be a way to translate box-->human_name - is that right? If so, then lookup would seem an option.

If a lookup is not practical, then you need another solution - note that join is an option - but you always explore alternatives before using join, as it has limitations.

The join option sounds simple enough

| join server [
  index=translate
  | rename box as server
  | fields server human_name
]

A stats solution would need to correlation the human_name/box/server/mac_address fields to get it done in a single search.

View solution in original post

DenverGeo
Engager

Thank you, this inline search got me to where I needed to be. 

0 Karma

bowesmana
SplunkTrust
SplunkTrust

Sounds like you could use a lookup.

You index that contains the human_name - is that something that could be turned into a lookup, where the values are static - if so, then after your stats you would simply do

...
| lookup server_list.csv server 

where the lookup file contains the server/human_name.

From your naming of the index, it would appear that this data is designed to be a way to translate box-->human_name - is that right? If so, then lookup would seem an option.

If a lookup is not practical, then you need another solution - note that join is an option - but you always explore alternatives before using join, as it has limitations.

The join option sounds simple enough

| join server [
  index=translate
  | rename box as server
  | fields server human_name
]

A stats solution would need to correlation the human_name/box/server/mac_address fields to get it done in a single search.

Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...