Splunk Search

any way to combine the results from two sourcetypes without a common field to use for a join and then table the output?

ebailey
Communicator

I need to produce an extract to use as a data source for a third party application. The application needs the data in a csv format and required data from two sourcetypes. I can search for one sourcetype and then append the second search, but the tabled output is uneven. Here is an example - I need for two data sets to be merged.

index=os host=xxxxxxx sourcetype=puppet_facts | dedup host | append [search index=os host=xxxxxxx sourcetype=package | multikv | dedup VENDOR,NAME,VERSION ] | table host,Domain,server,manufacturer,User,operatingsystem,VENDOR,NAME,VERSION

needed output format - host,Domain,server,manufacturer,User,operatingsystem,VENDOR,NAME,VERSION - (i am ignoring the Domain and User field right now )

results

host01          Cisco Systems Inc       RedHat           
host01                                                         Red Hat, Inc.    redhat-lsb          4.0
host01                                                                Red Hat, Inc. infinipath-psm  3.0.1

How do I combine the output for row and 2 for every result to like this?

host01          Cisco Systems Inc       RedHat       Red Hat, Inc.  redhat-lsb          4.0  
host01          Cisco Systems Inc       RedHat           Red Hat, Inc.  infinipath-psm  3.0.1                                

Also - is it possible to hardcode certain values? For example

      host,Domain,server,manufacturer,User,operatingsystem,VENDOR,NAME,VERSION

so the output would be

host01 Domain server     Cisco Systems Inc User RedHat Red Hat, Inc.    redhat-lsb 4.0   

Thanks for any feedback!

Tags (3)
0 Karma

alacercogitatus
SplunkTrust
SplunkTrust

Without a little bit of sample data, this is what I think would work (non-tested, kid approved)

index=os host=xxxxxxx sourcetype=puppet_facts OR sourcetype=package | multikv | stats latest(Domain) as Domain latest(...) as ... by host, NAME, VERSION

Replace the ... with the rest of your fields listed, one by one. This will give you an aggregation by NAME and VERSION and host. This also reduces the number of searches from 2 to 1, which is helpful for speed and optimization.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

To answer the hardcode-values-subquestion, sure:

... | eval manufacturer = "Cisco Systems Inc" | ...
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...