I need to produce an extract to use as a data source for a third party application. The application needs the data in a csv format and required data from two sourcetypes. I can search for one sourcetype and then append the second search, but the tabled output is uneven. Here is an example - I need for two data sets to be merged.
index=os host=xxxxxxx sourcetype=puppet_facts | dedup host | append [search index=os host=xxxxxxx sourcetype=package | multikv | dedup VENDOR,NAME,VERSION ] | table host,Domain,server,manufacturer,User,operatingsystem,VENDOR,NAME,VERSION
needed output format - host,Domain,server,manufacturer,User,operatingsystem,VENDOR,NAME,VERSION
- (i am ignoring the Domain and User field right now )
results
host01 Cisco Systems Inc RedHat
host01 Red Hat, Inc. redhat-lsb 4.0
host01 Red Hat, Inc. infinipath-psm 3.0.1
How do I combine the output for row and 2 for every result to like this?
host01 Cisco Systems Inc RedHat Red Hat, Inc. redhat-lsb 4.0
host01 Cisco Systems Inc RedHat Red Hat, Inc. infinipath-psm 3.0.1
Also - is it possible to hardcode certain values? For example
host,Domain,server,manufacturer,User,operatingsystem,VENDOR,NAME,VERSION
so the output would be
host01 Domain server Cisco Systems Inc User RedHat Red Hat, Inc. redhat-lsb 4.0
Thanks for any feedback!
Without a little bit of sample data, this is what I think would work (non-tested, kid approved)
index=os host=xxxxxxx sourcetype=puppet_facts OR sourcetype=package | multikv | stats latest(Domain) as Domain latest(...) as ... by host, NAME, VERSION
Replace the ...
with the rest of your fields listed, one by one. This will give you an aggregation by NAME and VERSION and host. This also reduces the number of searches from 2 to 1, which is helpful for speed and optimization.
To answer the hardcode-values-subquestion, sure:
... | eval manufacturer = "Cisco Systems Inc" | ...