Splunk Search

How to search for and chart multiple values for different sourcetypes?

clintla
Contributor

I'm not sure if this is a multisearch or a join or something else, but I want to chart multiple values for different sourcetypes.

For example:

Sourcetype A
field1 field2 field3 field4

Sourcetype B
field5 field6 field7 field8

Chart values(field1), values(field2), values(field3), values(field6), values(field7)

I want to search for something where the search string will be contained in field 1 & 5 will be the same & then collect all the data from those lines in Sourcetypes A & B

I get Sourcetype A or B.. but not both. However, in the "Interesting Fields" from the search, I get everything so I know the data is there.

0 Karma
1 Solution

lguinn2
Legend

Seems like this would be a start:

(sourcetype=A field1=*) OR (sourcetype=B field5=*)
| eval newField=coalesce(field1,field5)
| stats values(field2) as field2 values(field3) as field3 values(field4) as field4
        values(field6) as field6 values(field7) as field7 values(field8) as field8 by newField

But you can't chart multi-valued fields, which is what you will get if you use the values function.
Well, I guess you can use the chart command, but you can't get an actual chart... so I used the stats command.
What exactly do you want to output?

View solution in original post

lguinn2
Legend

Seems like this would be a start:

(sourcetype=A field1=*) OR (sourcetype=B field5=*)
| eval newField=coalesce(field1,field5)
| stats values(field2) as field2 values(field3) as field3 values(field4) as field4
        values(field6) as field6 values(field7) as field7 values(field8) as field8 by newField

But you can't chart multi-valued fields, which is what you will get if you use the values function.
Well, I guess you can use the chart command, but you can't get an actual chart... so I used the stats command.
What exactly do you want to output?

clintla
Contributor

The stats command works.. but due to one sourcetype has multi instances & the other has 1, they don't lineup.

I ended up doing panels w/ a drill downs that worked exceedingly well. Lisa, I think you usually come to the rescue on my questions & you did again (the answer was right but it got me going to an even better answer) ... as always.. thanks for the assistance.

clintla
Contributor

I'm almost wanting a lookup. 2 sources that I'd like to combine into 1 source really.

so field1 & field5 I want to search (those 2 fields have the same list of items). So if I search field1. I want to find those all those fields in both sourcetypes.

0 Karma

lquinn
Contributor

What is the current search that you are using?

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...