Splunk Search

How to search for and chart multiple values for different sourcetypes?

clintla
Contributor

I'm not sure if this is a multisearch or a join or something else, but I want to chart multiple values for different sourcetypes.

For example:

Sourcetype A
field1 field2 field3 field4

Sourcetype B
field5 field6 field7 field8

Chart values(field1), values(field2), values(field3), values(field6), values(field7)

I want to search for something where the search string will be contained in field 1 & 5 will be the same & then collect all the data from those lines in Sourcetypes A & B

I get Sourcetype A or B.. but not both. However, in the "Interesting Fields" from the search, I get everything so I know the data is there.

0 Karma
1 Solution

lguinn2
Legend

Seems like this would be a start:

(sourcetype=A field1=*) OR (sourcetype=B field5=*)
| eval newField=coalesce(field1,field5)
| stats values(field2) as field2 values(field3) as field3 values(field4) as field4
        values(field6) as field6 values(field7) as field7 values(field8) as field8 by newField

But you can't chart multi-valued fields, which is what you will get if you use the values function.
Well, I guess you can use the chart command, but you can't get an actual chart... so I used the stats command.
What exactly do you want to output?

View solution in original post

lguinn2
Legend

Seems like this would be a start:

(sourcetype=A field1=*) OR (sourcetype=B field5=*)
| eval newField=coalesce(field1,field5)
| stats values(field2) as field2 values(field3) as field3 values(field4) as field4
        values(field6) as field6 values(field7) as field7 values(field8) as field8 by newField

But you can't chart multi-valued fields, which is what you will get if you use the values function.
Well, I guess you can use the chart command, but you can't get an actual chart... so I used the stats command.
What exactly do you want to output?

clintla
Contributor

The stats command works.. but due to one sourcetype has multi instances & the other has 1, they don't lineup.

I ended up doing panels w/ a drill downs that worked exceedingly well. Lisa, I think you usually come to the rescue on my questions & you did again (the answer was right but it got me going to an even better answer) ... as always.. thanks for the assistance.

clintla
Contributor

I'm almost wanting a lookup. 2 sources that I'd like to combine into 1 source really.

so field1 & field5 I want to search (those 2 fields have the same list of items). So if I search field1. I want to find those all those fields in both sourcetypes.

0 Karma

lquinn
Contributor

What is the current search that you are using?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...