Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Search query to combine data from 2 different index not working

neerajs_81
Builder
‎08-11-2024 10:31 PM

Hi All,
i need to consolidate / correlate data from 2 different indexes as explained below. I have gone thru multiple posts on this forum from experts relevant to this but somehow for my use case, the same query ain't working. I have below situation:
In Index=windows , the field "host" contains all the different hosts sending logs to Splunk. For example: Host01, Host02 etc.
In another index=cmdb, the field "dv_name" contain the same hostnames sending logs.   Also, there are other fields like dv_status and dv_os in this index which i need to be part of final output

So as explained above,  the common link is the host field, its name is different across the 2 index, but the values are same.

 


When i run the following 2 queries to get my expected output, it only pulls data from windows index. It completely avoids the other cmdb index, irrespective of the fact the cmdb index has data / events from same hosts in the time range whatever i select.

 

 

(index=windows) OR (index=cmdb sourcetype="snow:cmdb_ci_server" dv_name=*)
| eval asset_name=coalesce(dv_name, host)
| stats dc(index) as idx_count, values(index) values(dv_os), values(dv_install_status) by asset_name

 

 

Output it it showing:  

asset_nameidx_countindexdv_osdv_status
Host011windows  
Host021windows  

 

Expected output

asset_nameidx_countindexdv_osdv_install_status
Host012windows, cmdbWindows ServerProduction
Host022windows, cmdbWindows ServerTest



Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-12-2024 12:12 AM

Case does matter - as far as Splunk is concerned they are two different hosts - you could try converting to lower case

(index=windows) OR (index=cmdb sourcetype="snow:cmdb_ci_server" dv_name=*)
| eval asset_name=lower(coalesce(dv_name, host))
| stats dc(index) as idx_count, values(index) values(dv_os), values(dv_install_status) by asset_name

View solution in original post

Reply
Solved! Jump to solution

KendallW
Contributor
‎08-11-2024 10:51 PM

 

Hi @neerajs_81 try just renaming the dv_name field instead of creating a new field with coalesce, e.g.:

(index=cmdb sourcetye=server) OR (index=windows)
| rename dv_name as host
| stats dc(index) as idx_count, values(index) values(dv_os), values(dv_install_status) by host

 



Reply
Solved! Jump to solution

neerajs_81
Builder
‎08-11-2024 10:58 PM

That didn't work. Query does not show any results if we rename the dv_name to host. That is because host is a default field  and for index=cmdb, the host field originally contains the name of the Log source (ServiceNow) sending over the asset information to splunk. Renaming it overwrites the default field.
thanks for replying though.

0 Karma
Reply
Solved! Jump to solution

KendallW
Contributor
‎08-11-2024 11:15 PM

It shouldn't matter what is contained in the host field in the 'cmdb' index as we are overwriting it. There is no problem with overwriting default fields in a search.
Regardless, I still can't see why your original query didn't work. - There may be some whitespace or other strange characters in some of the field values from one of the indexes causing them to not match with the other index. Are you able to check this?

Reply
Solved! Jump to solution

neerajs_81
Builder
‎08-12-2024 12:04 AM

Hi @KendallW  Does the coalesce or rename command treat the hostnames differently if they are different in cases? One is lower case in one index and other index has the same hostname in Upper case. Is the merge case sensitive ?  For example,  HOST01 which is one of the values in host field of index=windows, is actually  host01 in index=cmdb ( under the dv_name) field.  

That explains why the consolidation via coalesce or rename ain't working.

0 Karma
Reply
Solved! Jump to solution

KendallW
Contributor
‎08-12-2024 09:21 PM

As per @ITWhisperer 's comment, yes it is case sensitive. Use eval upper or lower to convert them all to the same case

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-12-2024 12:12 AM

Case does matter - as far as Splunk is concerned they are two different hosts - you could try converting to lower case

(index=windows) OR (index=cmdb sourcetype="snow:cmdb_ci_server" dv_name=*)
| eval asset_name=lower(coalesce(dv_name, host))
| stats dc(index) as idx_count, values(index) values(dv_os), values(dv_install_status) by asset_name
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...