Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Trying to join multiple searches into one big ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
search |rename Name as Threat | stats count by Threat | sort -count
and
search |rename suser as User | stats count by User | sort -count
and
search | |rename dvchost as Host | stats count by Host | sort -count
the search is the same for all searches and I want the output to look like this:
Threat count User count Host count
PUP.Optional.ASK 36 CHollows 16 KVM 9974
PUM.Optional.DisableChromeUpdates 8 DFoghat 8 GIB 114
PUP.Optional.SuperOptimizer 4 AAerosmith 4 DWI 36
Exploit payload process blocked 1 FTelsa 4 STP 31
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You haven't mentioned any common field to use join. If you still want to show them as you need, without any relation between the fields, you can go with "appendcols" See query below:
search..... |rename Name as Threat | stats count as ThreatCount by Threat | sort -ThreatCount |
appendcols [search ....|rename suser as User | stats count as UserCount by User | sort -UserCount ] |
appendcols [ search ..... |rename dvchost as Host | stats count as HostCount by Host | sort -HostCount]
Just changed the column names of count to make them unique
Hope this works
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You need multireport; try this:
search
| foreach Name suser dvchost [ eval <<FIELD>>=coalesce(<<FIELD>>, "NULL") ]
| stats count BY Name suser dvchost
| multireport
[ stats sum(count) AS count BY Name | sort 0 - count | rename Name AS Threat ]
[ stats sum(count) AS count BY suser | sort 0 - count | rename Name AS User ]
[ stats sum(count) AS count BY dvchost | sort 0 - count | rename Name AS Host ]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You haven't mentioned any common field to use join. If you still want to show them as you need, without any relation between the fields, you can go with "appendcols" See query below:
search..... |rename Name as Threat | stats count as ThreatCount by Threat | sort -ThreatCount |
appendcols [search ....|rename suser as User | stats count as UserCount by User | sort -UserCount ] |
appendcols [ search ..... |rename dvchost as Host | stats count as HostCount by Host | sort -HostCount]
Just changed the column names of count to make them unique
Hope this works
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I will highly recommend against this method, very heavy search and unnecessary subsearch. also take into consideration the subsearch limitations. read more here:
https://docs.splunk.com/Documentation/Splunk/7.2.3/Search/Aboutsubsearches#Subsearch_performance_con...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
try this:
... your search ... | stats count(Name) as Threats count(suser) as User count(dvchost) as Host ...
that will make your search more efficient and 1 search is enough. no join, no rename
hope it helps
Community Content Calendar, September edition
Splunkbase Unveils New App Listing Management Public Preview
Leveraging Automated Threat Analysis Across the Splunk Ecosystem
