Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to join two tables for more data
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
JandrevdM
Path Finder
10-03-2024
02:21 AM
Good day,
I have done a join on two indexes before to add more information to one event. example get department for a user from network events. But now I want to add two indexes to give me more data.
Example index one will display:
host 1 10.0.0.2
host 2 10.0.0.3
And index two will display:
host 3 10.0.0.4
host 1 10.0.0.2
What I want is:
host 1 10.0.0.2
host 2 10.0.0.3
host 3 10.0.0.4
index=db_azure_activity sourcetype=azure:monitor:activity change_type="virtual machine"
| rename "identity.authorization.evidence.roleAssignmentScope" as subscription
| dedup object
| where command!="MICROSOFT.COMPUTE/VIRTUALMACHINES/DELETE"
| table change_type object resource_group subscription command _time
| sort object asc
index=* sourcetype=o365:management:activity
| rename "PropertyBag{}.AssessmentStatusPerInitiative{}.ResourceName" as ResourceName
| rename "PropertyBag{}.AssessmentStatusPerInitiative{}.CloudProvider" as CloudProvider
| rename "PropertyBag{}.AssessmentStatusPerInitiative{}.ResourceType" as ResourceTypes
| rename "PropertyBag{}.AssessmentStatusPerInitiative{}.EventType" as EventType
| where ResourceTypes="Microsoft.Compute/virtualMachines" OR ResourceTypes="microsoft.compute/virtualmachines"
| eval object=mvdedup(split(ResourceName," "))
| eval Provider=mvdedup(split(CloudProvider," "))
| eval Type=mvdedup(split(ResourceTypes," "))
| dedup object
| where EventType!="Microsoft.Security/assessments/Delete"
| table object, Provider, Type *
| sort object asc
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
gcusello
SplunkTrust
10-03-2024
02:27 AM
Hi @JandrevdM ,
Splunk has the join command but I don't hint it because it's very slow and requires many resources.
if you have less than 50,000 results in the second search, you could use this solution joining events using stats command:
index=db_azure_activity sourcetype=azure:monitor:activity change_type="virtual machine"
| rename "identity.authorization.evidence.roleAssignmentScope" AS subscription
| dedup object
| where command!="MICROSOFT.COMPUTE/VIRTUALMACHINES/DELETE"
| table change_type object resource_group subscription command _time
| sort object asc
| append [ search
index=* sourcetype=o365:management:activity
| rename
"PropertyBag{}.AssessmentStatusPerInitiative{}.ResourceName" as ResourceName
"PropertyBag{}.AssessmentStatusPerInitiative{}.CloudProvider" as CloudProvider
"PropertyBag{}.AssessmentStatusPerInitiative{}.ResourceType" as ResourceTypes
"PropertyBag{}.AssessmentStatusPerInitiative{}.EventType" as EventType
| where ResourceTypes="Microsoft.Compute/virtualMachines" OR ResourceTypes="microsoft.compute/virtualmachines"
| eval
object=mvdedup(split(ResourceName," ")),
Provider=mvdedup(split(CloudProvider," ")),
Type=mvdedup(split(ResourceTypes," "))
| dedup object
| where EventType!="Microsoft.Security/assessments/Delete"
| table object, Provider, Type *
| sort object asc ]
| stats values(*) AS * BY objecteventually limiting the fields to display related to your requirements.
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
gcusello
SplunkTrust
10-03-2024
02:27 AM
Hi @JandrevdM ,
Splunk has the join command but I don't hint it because it's very slow and requires many resources.
if you have less than 50,000 results in the second search, you could use this solution joining events using stats command:
index=db_azure_activity sourcetype=azure:monitor:activity change_type="virtual machine"
| rename "identity.authorization.evidence.roleAssignmentScope" AS subscription
| dedup object
| where command!="MICROSOFT.COMPUTE/VIRTUALMACHINES/DELETE"
| table change_type object resource_group subscription command _time
| sort object asc
| append [ search
index=* sourcetype=o365:management:activity
| rename
"PropertyBag{}.AssessmentStatusPerInitiative{}.ResourceName" as ResourceName
"PropertyBag{}.AssessmentStatusPerInitiative{}.CloudProvider" as CloudProvider
"PropertyBag{}.AssessmentStatusPerInitiative{}.ResourceType" as ResourceTypes
"PropertyBag{}.AssessmentStatusPerInitiative{}.EventType" as EventType
| where ResourceTypes="Microsoft.Compute/virtualMachines" OR ResourceTypes="microsoft.compute/virtualmachines"
| eval
object=mvdedup(split(ResourceName," ")),
Provider=mvdedup(split(CloudProvider," ")),
Type=mvdedup(split(ResourceTypes," "))
| dedup object
| where EventType!="Microsoft.Security/assessments/Delete"
| table object, Provider, Type *
| sort object asc ]
| stats values(*) AS * BY objecteventually limiting the fields to display related to your requirements.
Ciao.
Giuseppe
Get Updates on the Splunk Community!
Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL
Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL
The Splunk AI Assistant for SPL ...
Buttercup Games: Further Dashboarding Techniques (Part 5)
This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Customers Increasingly Choose Splunk for Observability
For the second year in a row, Splunk was recognized as a Leader in the 2024 Gartner® Magic Quadrant™ for ...
