Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

concatene 2 similar search

jip31
Motivator
‎07-27-2018 12:15 AM

hi

i try to concatene 2 similar query

| join type=outer host [search earliest=-120d index=windows sourcetype=winregistry 
key_path="\\registry\\machine\\software\\wow6432node\\XX\\master\\PatchLevel" 
| stats first(data) as PatchLevel by host
]


| join type=outer host [search earliest=-120d index=windows sourcetype=winregistry 
key_path="\\registry\\machine\\software\\wow6432node\\XX\\master\\WindowsVersion" 

| stats first(data) as WindowsVersion by host
]

i m doing something like this but it doesnt works

| join type=outer host [search earliest=-120d index=windows sourcetype=winregistry 
key_path="\\registry\\machine\\software\\wow6432node\\XX\\master\\PatchLevel" 
OR
key_path="\\registry\\machine\\software\\wow6432node\\XX\\master\\WindowsVersion" 
|stats first(data) as PatchLevel by host, first(data) as WindowsVersion by host]
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎08-02-2018 10:29 AM

Try like this

| join type=outer host [search earliest=-120d index=windows sourcetype=winregistry 
 key_path="\\registry\\machine\\software\\wow6432node\\XX\\master\\PatchLevel" 
 OR
 key_path="\\registry\\machine\\software\\wow6432node\\XX\\master\\WindowsVersion" 
 | rex field=key_path "(?<type>\w+)$" | chart first(data) by host type]

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎08-02-2018 10:29 AM

Try like this

| join type=outer host [search earliest=-120d index=windows sourcetype=winregistry 
 key_path="\\registry\\machine\\software\\wow6432node\\XX\\master\\PatchLevel" 
 OR
 key_path="\\registry\\machine\\software\\wow6432node\\XX\\master\\WindowsVersion" 
 | rex field=key_path "(?<type>\w+)$" | chart first(data) by host type]
0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎08-05-2018 01:30 AM

Hi and thanks
it works for these 2 key path
BUT
I need to add o ne key and i done this
| join type=outer host [search earliest=-120d index=windows sourcetype=winregistry
key_path="\registry\machine\software\wow6432node\xx\master\PatchLevel"
OR
key_path="\registry\machine\software\wow6432node\xx\master\WindowsVersion"
OR
key_path="\registry\machine\software\microsoft\windows nt\currentversion\ReleaseId"
| rex field=key_path "(?\w+)$" | chart first(data) by host type]

But i have no data for ReleaseID
Other questions :
what is the reason why you user "rex" and "chart"?
thanks

0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎08-05-2018 01:39 AM

oh i found for the 3 key 😉
so just tell me please what is the reason why you user "rex" and "chart"?
thanks

0 Karma
Reply
Solved! Jump to solution

Shan
Builder
‎07-27-2018 12:26 AM

@jip31,

Try something like this .. 

| join type=outer host [search earliest=-120d index=windows sourcetype=winregistry 
 key_path="\\registry\\machine\\software\\wow6432node\\airbus\\master\\PatchLevel" 
 OR
 key_path="\\registry\\machine\\software\\wow6432node\\airbus\\master\\WindowsVersion" 
 |stats first(data) as PatchLevel , first(data) as WindowsVersion by host,data]
0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎08-01-2018 10:20 PM

hello
nobody for helping me please??

0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎08-01-2018 11:02 PM

something like this??

join type=outer host [append [search earliest=-120d index=windows sourcetype=winregistry 
key_path="\\registry\\machine\\software\\wow6432node\\xx\\master\\PatchLevel" 
 OR   key_path="\\registry\\machine\\software\\wow6432node\\xx\\master\\WindowsVersion" 
  |stats first(data) as PatchLevel , first(data) as WindowsVersion by host,data
0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎08-02-2018 10:04 AM

In fact my main question is To know how to use append with a jointure field (host in my example)?

0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎07-27-2018 01:10 AM

it doesnt works

0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎07-27-2018 01:11 AM

please modify the key like in your answer :
\registry\machine\software\wow6432node\*XX*\master\PatchLevel"

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Thanks for the Memories! Splunk University, .conf25, and our Community

Thank you to everyone in the Splunk Community who joined us for .conf25, which kicked off with our iconic ...

Data Persistence in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. What happens if the OpenTelemetry collector ...

Introducing Splunk 10.0: Smarter, Faster, and More Powerful Than Ever

Now On Demand Whether you're managing complex deployments or looking to future-proof your data ...