Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to join fields from 2 different sourcetypes into 1 table?

manderson7
Contributor
‎06-09-2017 11:26 AM

I need to join fields from 2 different sourcetypes into 1 table. Sourcetype A contains the field "cve_str_list" that I want, as well as the fields "criticality_description" and "advisory_identifier". "advisory_identifier" shares the same values as sourcetype b "advisory.advisory_identifier". From sourcetype b, I'd also like "title", "assigned_to.username".

I believe I can create a new field for advisory.advisory_identifier and advisory_identifier using

eval advisory.identifier = coalesce(advisory_identifier,advisory.advisory_identifier)
I'm uncertain how to get the rest of the fields into the search and table so they're mapped to the events from the other sourcetype. I've tried 

| stats first(criticality_description) as criticality_description  
first(advisory.title) as advisory.title
first(asset_list.name) as asset_list.name
first(advisory.solution_status_description) as advisory.solution_status_description
by advisory.identifier

But that seemed to have put the sourcetype a data into different events than the sourcetype b data.
I've also tried the append function, but it doesn't add the cve_str_list field into the fields from the other sourcetype.

sourcetype=a status.name=* queue.name="*" priority.name=* | rename advisory.advisory_identifier AS advisory_identifier | append [search sourcetype=b advisory_identifier=* cve_str_list=*]
|dedup id| table id priority.name asset_list.name  advisory.title last_updated assigned_to.username queue.name status.name advisory_identifier cve_str_list

Can someone help me in arranging this search? Thank you.

0 Karma
Reply

somesoni2
Revered Legend
‎06-09-2017 12:37 PM

Give this a try

(sourcetype=a status.name=* queue.name="*" priority.name=* ) OR (sourcetype=b advisory_identifier=* cve_str_list=*)
| eval advisory_identifier = coalesce(advisory_identifier,'advisory.advisory_identifier')
| stats  values(criticality_description) as criticality_description  
 values("advisory.title") as advisory_title
 values("asset_list.name") as asset_list_name
 values("advisory.solution_status_description") as advisory_solution_status_description
 by advisory_identifier
0 Karma
Reply

manderson7
Contributor
‎06-09-2017 01:02 PM

That gives me the table of advisory_identifier, criticality_description, advisory_title, asset_list.name and advisory.solution_status_description. The only fields that have values are advisory_identifier and criticality_description. It doesn't look like this is merging the fields/values of the sourcetypes.

0 Karma
Reply
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...