×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
sdcig
Explorer
Member since: ‎01-04-2025
‎02-22-2025
Community Statistics
Posts 3
Solutions 0
Karma Given 7
Karma Received 0
Member Since ‎01-04-2025
Activity Feed
View All

Re: How to rename fields when using 2 queries with...

by in Splunk Search
‎01-08-2025 10:15 AM
‎01-08-2025 10:15 AM
Thanks @bowesmana @yuanliu @gcusello for your help and input.   One thing I'm still missing is being able to populate values in all the fields listed. Let me explain with some screenshots for better context -   The output of just corelight query shows values for the fields -   The output of just the firewall query shows values for all related fields -   However, the output of the suggested OR queries does not populate the values of many of the fields (highlighted in red)- eg (1).    eg (2).  I only see 5 values when using stats values (*) by * in the OR query (seems like it's just the fields that are common to both indices and none of others listed will be displayed?)     Any suggestions on this?   Thanks! ... View more

Re: How to rename fields when using 2 queries with...

by in Splunk Search
‎01-07-2025 09:05 AM
‎01-07-2025 09:05 AM
Thanks @gcusello for your response and guidance.  I tried your query and it's giving me results, however it's only populating 5 fields which are ones that are common to both indices.   How do you suggest I modify the query so the output also displays all the following fields that are under index="*firewall*"?     src_zone, src_ip, dest_zone, dest_ip, server_name, transport, dest_port, app, rule, action, session_end_reason, packets_out, packets_in, src_translated_ip, dvc_name         My intent is to display the data in the following order (that includes fields from both indices) if possible - ***specific fields from index=corelight are in bold for reference src_zone AS From, src_ip AS Source, dest_zone AS To, dest_ip AS Destination, server_name AS SNI, transport AS Protocol, dest_port AS Port, app AS "Application", rule AS "Rule", action AS "Action", session_end_reason AS "End Reason", packets_out AS "Packets Out", packets_in AS "Packets In", src_translated_ip AS "Egress IP", dvc_name AS "DC", ssl_version AS Version, ssl_cipher AS ENCRPT_ALGO   Thanks! ... View more

How to rename fields when using 2 queries with OR

by in Splunk Search
‎01-07-2025 08:32 AM
‎01-07-2025 08:32 AM
Hello, I have 2 queries where indices are different and have a common field dest_ip which is my focus(same field name in both indices). Please note that there are also some other common fields such as src_ip, action etc.   Query 1:   index=*corelight* sourcetype=*corelight* server_name="*microsoft.com*   additional fields: action, ssl_version, ssl_cipher   Query 2:   index="*firewall*" sourcetype=*traffic* src_ip=10.1.1.100   additional fields: _time, src_zone, src_ip, dest_zone, transport, dest_port, app, rule, action, session_end_reason, packets_out, packets_in, src_translated_ip, dvc_name     I'm trying to output all the corresponding server_names for each dest_ip, as a table with all the listed fields from both query outputs   I'm new to Splunk and learning my way; I've tried the following so far -   A) using join (which is usually very slow and sometimes doesn't give me a result)   index=*corelight* sourcetype=*corelight* server_name=*microsoft.com* | join dest_ip [ search index="*firewall*" sourcetype=*traffic* src_ip=10.1.1.100 | fields src_ip, src_user, dest_ip, rule, action, app, transport, version, session_end_reason, dvc_name, bytes_out ] | dedup server_name | table _time, src_ip, dest_ip, transport, dest_port, app, rule, server_name, action, session_end_reason, dvc_name | rename _time as "timestamp", transport as "protocol"     b) using an OR    (index=*corelight* sourcetype=*corelight* server_name=*microsoft.com*) OR (index="*firewall*" sourcetype=*traffic* src_ip=10.1.1.100) | dedup src_ip, dest_ip | table src_zone, src_ip, dest_zone, dest_ip, server_name, transport, dest_port, app, rule, action, session_end_reason, packets_out, packets_in, src_translated_ip, dvc_name | rename src_zone AS From, src_ip AS Source, dest_zone AS To, dest_ip AS Destination, server_name AS SNI, transport AS Protocol, dest_port AS Port, app AS "Application", rule AS "Rule", action AS "Action", session_end_reason AS "End Reason", packets_out AS "Packets Out", packets_in AS "Packets In", src_translated_ip AS "Egress IP", dvc_name AS "DC"       My questions - Would you suggest a better way to write/construct my above queries?   In my OR output, I only see a couple of columns populating values (eg. src_ip, dest_ip, action) while the rest are empty. My guess is they're populating because I'm doing an inner join and these are the common fields between the two. Since I'm unable to populate the others, maybe I need to do a left join?   Can you kindly guide me on how to rename fields specific to each index when combining queries using OR? I've tried a few times but haven't been successful For example, in my above OR statement - how and where in the query do I rename the field ssl_cipher in index=*corelight* to ENCRYPT_ALGORITHM?    Many thanks! ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎02-22-2025 10:48 PM
Karma given to