Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Matching fields from different indices to return another field

izyknows
Path Finder
‎06-02-2020 09:46 PM

Hi,

I have two different indexes where I need to match a field and if true, return another field.

First Search (Index1)

FileName          DeviceName
explorer.exe     myserver.test.com
processor.dll    anothersystem.xyz.abc
third.exe        yetanother.aaa.bbb
another.exe      myserver.test.com

Second search (Index2)

HostName                      Owner
MYserver.test.com        bob@sample.com
nonEXistent.abc.ccc      larry@sample.com
yetANOTHER.aaa.bbb       charlie@sample.com

Desired search result

DeviceName                    FileName                Owner
myserver.test.com            explorer.exe           bob@sample.com
                             another.exe
yetanother.aaa.bbb           third.exe              charlie@sample.com

Couple of things to notice

  • I need to show results where DeviceName and HostName match. Both fields may be in different case (so case insensitive matching is required)
  • If DeviceName==HostName, I need the Owner field returned from Index2
  • One DeviceName/HostName may have many FileNames under it and I need to display all (explorer.exe + another.exe)

I've been tinkering around and am having a hard time finding the right query. Here's where I'm at.

(index=index1 sourcetype=type1 FileName=somecondition*) OR (index=index2 sourcetype=type2)
| fields FileName, DeviceName, Owner, HostName
| eval magic=case(DeviceName==HostName, Owner)
| stats list(FileName) as FileName, list(magic) as SysOwner by DeviceName

Although it doesn't work. I tried variations of the eval statement using if, coalesce and a few other solutions from other questions. But I believe the case difference between the two fields is what is hindering me.

I'm still new to Splunk and any help would be appreciated! 🙂

Labels (2)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-03-2020 05:54 AM

You were close. The secret is to create a common field between the two indexes that Splunk can use to match up events. I like to use coalesce to do that.

(index=index1 sourcetype=type1 FileName=somecondition*) OR (index=index2 sourcetype=type2)
 | fields FileName, DeviceName, Owner, HostName
 | eval DeviceName=coalesce(DeviceName, HostName)
 | stats values(*) as * by DeviceName
 | table DeviceName FileName Owner
---
If this reply helps you, Karma would be appreciated.
Reply

izyknows
Path Finder
‎06-03-2020 07:45 AM

Interesting! I tried running your query and while it gives me DeviceName and Owner properly, none of the other fields (FileName) are blank. Any idea why?

0 Karma
Reply

493669
Super Champion
‎06-03-2020 05:49 AM

@izyknows Please try below-

...|eval DeviceName=coalesce(DeviceName,HostName)|stats values(FileName) as FileName values(Owner) as Owner by DeviceName

Below is using sample data-

|makeresults|eval FileName="explorer.exe", DeviceName="myserver.test.com"
|append[|makeresults|eval HostName="myserver.test.com", Owner="bob@sample.com"]
|append[|makeresults|eval FileName="another.exe", DeviceName="myserver.test.com"]
|fields - _time|eval DeviceName=coalesce(DeviceName,HostName)|stats values(FileName) as FileName values(Owner) as Owner by DeviceName
0 Karma
Reply

izyknows
Path Finder
‎06-03-2020 07:46 AM

Thanks! I tried out your query but no luck. Similar to the other answer, DeviceName and Owner populate fine but the other fields are blank.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-03-2020 10:29 AM

The example query works fine for me.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

izyknows
Path Finder
‎06-04-2020 08:12 AM

Unfortunately it doesn't for me. The example I posted is a simplified version of the actual scenario though. There are 3 more fields from each index which I also fetch and show in the end. I took them out for the sake of simplicity.

0 Karma
Reply

izyknows
Path Finder
‎06-04-2020 08:28 AM

I think when stats values() comes into picture, it removes duplicates. And in my FolderPath and other fields, I may have (and want) these duplicates. Why is it that after coalesce, my other fields disappear?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-09-2020 05:40 PM

Yes, stats values(foo) removes the duplicate values of field foo. To see the duplicates use list(foo).

Coalesce should not be affecting your other fields.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

What’s New & Next in Splunk SOAR

Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us for an ...

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

 Ready to master Kubernetes and cloud monitoring like the pros? Join Splunk’s Growth Engineering team for an ...

Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know

To Community SOAR App Developers - we're reaching out with an important update regarding Python 3.9's ...