Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

combine 2 searches

chadman
Path Finder
‎06-04-2015 11:10 AM

I have a search that finds computers that have not checked in for the last couple min. It seems to give the results I need, but I need some more specific information from each host that this command finds.

metadata type=hosts | eval age = now()-lastTime | where age > 300 and age < 86400

| sort age d | convert ctime(lastTime) | eval field_in_ddhhmmss=tostring((age) , "duration")
|rename field_in_ddhhmmss as "Time Offline" | table host,lastTime,"Time Offline

So I would like to then add some columns to my table that are specific to each host that it finds. So the search below would show me the extra data I need. How can I combine these to work together.

sourcetype=_sort=PUT HOST FROM OTHER SEARCH HERE earliest=1
| head 1 | rename hd as "Total Disk GB" memory as "Total Memory" isp as "ISP" state as "State"
host as "Serial Number" os_install_date as "Build Date" model as "Model" city as "City"
|table host,"Total Disk GB","Model","Total Memory","Serial Number","ISP","City","State"
"Build Date"

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎06-04-2015 11:20 AM

You could use a join.

metadata type=hosts | eval age = now()-lastTime | where age > 300 and age < 86400 | join host [search sourcetype=_sort | rename hd as "Total Disk GB" memory as "Total Memory" isp as "ISP" state as "State" os_install_date as "Build Date" model as "Model" city as "City"] | sort age d | convert ctime(lastTime) | eval field_in_ddhhmmss=tostring((age) , "duration") |rename field_in_ddhhmmss as "Time Offline" | table host,lastTime,"Time Offline","Total Disk GB","Model","Total Memory","ISP","City","State","Build Date"
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎06-04-2015 11:20 AM

You could use a join.

metadata type=hosts | eval age = now()-lastTime | where age > 300 and age < 86400 | join host [search sourcetype=_sort | rename hd as "Total Disk GB" memory as "Total Memory" isp as "ISP" state as "State" os_install_date as "Build Date" model as "Model" city as "City"] | sort age d | convert ctime(lastTime) | eval field_in_ddhhmmss=tostring((age) , "duration") |rename field_in_ddhhmmss as "Time Offline" | table host,lastTime,"Time Offline","Total Disk GB","Model","Total Memory","ISP","City","State","Build Date"
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

chadman
Path Finder
‎06-04-2015 12:42 PM

Worked great! Thanks

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...