Splunk Search

If I have two different searches without common fields, how can combine them and display a single result?

pavanae
Builder

I got a strange situation here. I have two different searches as follows.

search 1:

index=* [ search index=_internal os=Windows sourcetype=splunkd 
| stats count by hostname 
| rename hostname as host 
| fields host ] 
| stats values(source) as sources by host

Which displays all the Windows hosts and sources of them for all the indexes.

And I have another search as follows which displays the results including Windows and also other operating systems which satisfies the same search condition.

search 2:

index=* | regex _raw!=".2016-\d{2}-\d{2}." | stats values(sources) as sources by host

Now I'm looking to write a search which displays the search 2 results from only the Windows hosts..I'm not sure if we have to include the search 1 for getting required result?

Any suggestions would be great and points will be awarded for the best answer

0 Karma
1 Solution

sundareshr
Legend

Try this

index=* 
[ search index=_internal os=Windows sourcetype=splunkd 
  | stats count by hostname 
  | rename hostname as host 
  | fields host ] 
| regex _raw!=".2016-\d{2}-\d{2}." 
| stats values(source) as sources by host

View solution in original post

0 Karma

sundareshr
Legend

Try this

index=* 
[ search index=_internal os=Windows sourcetype=splunkd 
  | stats count by hostname 
  | rename hostname as host 
  | fields host ] 
| regex _raw!=".2016-\d{2}-\d{2}." 
| stats values(source) as sources by host
0 Karma

pavanae
Builder

what if I want to display all the sourcetypes too for each host besides the sources?

0 Karma

sundareshr
Legend

You can add that too. Like this

 index=* 
 [ search index=_internal os=Windows sourcetype=splunkd 
   | stats count by hostname 
   | rename hostname as host 
   | fields host ] 
 | regex _raw!=".2016-\d{2}-\d{2}." 
 | stats values(source) as sources values(sourcetype) as sourcetypes by host
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...