Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Merge two searches that use two different sourcetypes?

bewald_cfi
New Member
‎03-12-2019 12:57 PM

I have two searches from two different sourcetypes. Search #1 is currently in a dashboard with a dropdown selection. I would like to merge both searches into one and still utilize the dropdown selection. Is this possible?

Search #1
sourcetype=Signature host="my_scanner"

| rename extracted_system AS dns
| join dns [ | inputlookup computers.csv Where owner="*"]
| table _time, owner, dns, Risk, Name, CVE, Solution, "See Also"
| rename dns AS Host

Search #2
sourcetype=scans
| rename dest_ip TO dns
| search severity_id>0
| stats count AS plugin_Count BY dns, signature_id, severity_id
| search plugin_Count>1
| lookup computers.csv ip AS dns OUTPUT nt_host AS hostname, owner AS sysadmin
| sort severity_id, sysadmin, hostname
| table sysadmin, hostname, dns, signature_id, severity_id, plugin_Count

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎03-12-2019 02:06 PM

What do you want the combined search to generate as output?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

bewald_cfi
New Member
‎03-12-2019 02:12 PM

Rich - I would like the results to be: _time, owner, dns, Risk, Name, signature_id, severity_id, plugin_Count, Solution, "See Also". Then from the dashboard the sysadmin can select the owner and sort just on their asset findings.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...