I'm using Splunk 6.1.4, which is unable to accelerate multiple objects within a single data model. Because of this, I've created 4 data models and accelerated each.
I try to combine the results like this:
| tstats prestats=TRUE append=TRUE summariesonly=TRUE count FROM datamodel=Thing1 by sourcetype Object1.src_ip Object1.src_port Object1.dest_ip Object1.dest_port Object1.sc_filter_result
| tstats prestats=TRUE append=TRUE summariesonly=TRUE count FROM datamodel=Thing2 by sourcetype Object2.src_ip Object2.src_port Object2.dest_ip Object2.dest_port Object2.signature Object2.act
| tstats prestats=TRUE append=TRUE summariesonly=TRUE count FROM datamodel=Thing3 by sourcetype Object3.src_ip Object3.src_port Object3.dest_ip Object3.dest_port Object3.action
| tstats prestats=TRUE append=TRUE summariesonly=TRUE count FROM datamodel=Thing4 by sourcetype Object4.src_ip Object4.dest_ip Object4.signature Object4.src_port Object4.dest_port
| eval src_ip=coalesce(Object1.src_ip, Object2.src_ip, Object3.src_ip, Object4.src_ip)
| eval dest_ip=coalesce(Object1.dest_ip, Object2.dest_ip, Object3.dest_ip, Object4.dest_ip)
| eval src_port=coalesce(Object1.src_port, Object2.src_port, Object3.src_port, Object4.src_port)
| eval dest_port=coalesce(Object1.dest_port, Object2.dest_port, Object3.dest_port, Object4.dest_port)
| eval signature=coalesce(Object2.signature, Object4.src_ip)
| eval action=coalesce(Object1.sc_filter_result, Object2.act, Object3.action, Object4.src_ip)
| table sourcetype signature action src_ip src_port dest_ip dest_port
It doesn't work at all, and I think this is because the eval command only applies within the namespace of each datamodel object. That is, src_ip doesn't get created by the eval statement, only Object(n).src_ip. How can I combine data from multiple data models (while taking advantage of acceleration)?
Thanks!
... View more