Splunk Search

concatene 2 similar search

jip31
Motivator

hi

i try to concatene 2 similar query

| join type=outer host [search earliest=-120d index=windows sourcetype=winregistry 
key_path="\\registry\\machine\\software\\wow6432node\\XX\\master\\PatchLevel" 
| stats first(data) as PatchLevel by host
]


| join type=outer host [search earliest=-120d index=windows sourcetype=winregistry 
key_path="\\registry\\machine\\software\\wow6432node\\XX\\master\\WindowsVersion" 

| stats first(data) as WindowsVersion by host
]

i m doing something like this but it doesnt works

| join type=outer host [search earliest=-120d index=windows sourcetype=winregistry 
key_path="\\registry\\machine\\software\\wow6432node\\XX\\master\\PatchLevel" 
OR
key_path="\\registry\\machine\\software\\wow6432node\\XX\\master\\WindowsVersion" 
|stats first(data) as PatchLevel by host, first(data) as WindowsVersion by host]
Tags (1)
0 Karma
1 Solution

somesoni2
Revered Legend

Try like this

| join type=outer host [search earliest=-120d index=windows sourcetype=winregistry 
 key_path="\\registry\\machine\\software\\wow6432node\\XX\\master\\PatchLevel" 
 OR
 key_path="\\registry\\machine\\software\\wow6432node\\XX\\master\\WindowsVersion" 
 | rex field=key_path "(?<type>\w+)$" | chart first(data) by host type]

View solution in original post

0 Karma

somesoni2
Revered Legend

Try like this

| join type=outer host [search earliest=-120d index=windows sourcetype=winregistry 
 key_path="\\registry\\machine\\software\\wow6432node\\XX\\master\\PatchLevel" 
 OR
 key_path="\\registry\\machine\\software\\wow6432node\\XX\\master\\WindowsVersion" 
 | rex field=key_path "(?<type>\w+)$" | chart first(data) by host type]
0 Karma

jip31
Motivator

Hi and thanks
it works for these 2 key path
BUT
I need to add o ne key and i done this
| join type=outer host [search earliest=-120d index=windows sourcetype=winregistry
key_path="\registry\machine\software\wow6432node\xx\master\PatchLevel"
OR
key_path="\registry\machine\software\wow6432node\xx\master\WindowsVersion"
OR
key_path="\registry\machine\software\microsoft\windows nt\currentversion\ReleaseId"
| rex field=key_path "(?\w+)$" | chart first(data) by host type]

But i have no data for ReleaseID
Other questions :
what is the reason why you user "rex" and "chart"?
thanks

0 Karma

jip31
Motivator

oh i found for the 3 key 😉
so just tell me please what is the reason why you user "rex" and "chart"?
thanks

0 Karma

Shan
Builder

@jip31,

Try something like this ..

| join type=outer host [search earliest=-120d index=windows sourcetype=winregistry 
 key_path="\\registry\\machine\\software\\wow6432node\\airbus\\master\\PatchLevel" 
 OR
 key_path="\\registry\\machine\\software\\wow6432node\\airbus\\master\\WindowsVersion" 
 |stats first(data) as PatchLevel , first(data) as WindowsVersion by host,data]
0 Karma

jip31
Motivator

hello
nobody for helping me please??

0 Karma

jip31
Motivator

something like this??

join type=outer host [append [search earliest=-120d index=windows sourcetype=winregistry 
key_path="\\registry\\machine\\software\\wow6432node\\xx\\master\\PatchLevel" 
 OR   key_path="\\registry\\machine\\software\\wow6432node\\xx\\master\\WindowsVersion" 
  |stats first(data) as PatchLevel , first(data) as WindowsVersion by host,data
0 Karma

jip31
Motivator

In fact my main question is To know how to use append with a jointure field (host in my example)?

0 Karma

jip31
Motivator

it doesnt works

0 Karma

jip31
Motivator

please modify the key like in your answer :
\registry\machine\software\wow6432node\*XX*\master\PatchLevel"

0 Karma
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Deprecation of Splunk Observability Kubernetes “Classic Navigator” UI starting ...

Access to Splunk Observability Kubernetes “Classic Navigator” UI will no longer be available starting January ...

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...