Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I join these two searches to get OS type?

Sampathu
Explorer
‎10-21-2015 07:30 AM

Hi,

When I run the searches below separately, they give me exact result, but when I tried joining them, it was not successful. Is there any way of joining them efficiently? Below are the searches and condition host=hostname. 

| metadata type=hosts| sort -recentTime| convert ctime(recentTime) as Last_Report_Time

index=_internal fwdType="*"|dedup sourceHost| table sourceHost, hostname, os
Tags (3)
0 Karma
Reply

MuS
Legend
‎10-21-2015 01:40 PM

Hi Sampathu,

what's your intension to do so - do you want to find forwarder not sending and create an alert?

If so don't re-invent the wheel - either use this app https://splunkbase.splunk.com/app/1294/#/overview if your pre Splunk 6.2 or run DMC http://docs.splunk.com/Documentation/Splunk/6.3.0/DMC/DMCoverview

Both have plenty of pre-build alerts to handle this.

Hope this helps ...

cheers, MuS

Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...