Splunk Search

How to replace values outputted from |stats with values from another search?

DenverGeo
Engager

Hello!

I am attempting to take a variety of values for a single field and essentially use another search from a different index to rename them to a more human readable value. Both indexes do have a field that contains a 1:1 value that I could potentially use |join, however I am having issues with the stats table output where the search is failing to pull up any data or pulling up all data despite searching for a specific value in a field. I have tried |append as well but not getting the results I expect. 

Example:

 

index=index_ mac_address=* logical_vm=* state=online
| stats latest(physical_vm) as server latest(ip_address) as IP latest(logical_vm) as host by mac_address 
| search server=z4c8h2 IP=* host=* name=*
| stats count by server

Output:
mac_address | server | IP | host
xx:xx:xx:xx:xx:xx | z4c8h2 | 10.0.0.0 | vm01.internet.io

index=translate box=z4c8h2
| table human_name

 

The translate index search shows the name that I would like to replace in the index_ search for server, but cant get the stats table to update correctly. 

Any suggestions how to format a join/append or some other method of getting the value to update in the Stats output table?

Labels (2)
Tags (2)
0 Karma
1 Solution

bowesmana
SplunkTrust
SplunkTrust

Sounds like you could use a lookup.

You index that contains the human_name - is that something that could be turned into a lookup, where the values are static - if so, then after your stats you would simply do

...
| lookup server_list.csv server 

where the lookup file contains the server/human_name.

From your naming of the index, it would appear that this data is designed to be a way to translate box-->human_name - is that right? If so, then lookup would seem an option.

If a lookup is not practical, then you need another solution - note that join is an option - but you always explore alternatives before using join, as it has limitations.

The join option sounds simple enough

| join server [
  index=translate
  | rename box as server
  | fields server human_name
]

A stats solution would need to correlation the human_name/box/server/mac_address fields to get it done in a single search.

View solution in original post

DenverGeo
Engager

Thank you, this inline search got me to where I needed to be. 

0 Karma

bowesmana
SplunkTrust
SplunkTrust

Sounds like you could use a lookup.

You index that contains the human_name - is that something that could be turned into a lookup, where the values are static - if so, then after your stats you would simply do

...
| lookup server_list.csv server 

where the lookup file contains the server/human_name.

From your naming of the index, it would appear that this data is designed to be a way to translate box-->human_name - is that right? If so, then lookup would seem an option.

If a lookup is not practical, then you need another solution - note that join is an option - but you always explore alternatives before using join, as it has limitations.

The join option sounds simple enough

| join server [
  index=translate
  | rename box as server
  | fields server human_name
]

A stats solution would need to correlation the human_name/box/server/mac_address fields to get it done in a single search.

Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

March Community Office Hours Security Series Uncovered!

Hello Splunk Community! In March, Splunk Community Office Hours spotlighted our fabulous Splunk Threat ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars in April. This post ...