Is it possible to have two different indices and have results in a single table? The Indices are...
index=_internal source=*web_access.log* /app/ action=edit | rex "/app/(?<app_name>.\w+)/(?<dashboard_name>.\w+)" | table dashboard_name, _time, app_name, user
and
index=_audit action=search info=granted search=* NOT "search_id='scheduler" NOT "search='|history" NOT "user=splunk-system-user" NOT "search='typeahead" NOT "search='| metadata type=* | search totalCount>0" | rex field=search "index=(?P<search_index>[^ ]+)" | stats count by search_index | sort - count| table search_index user
Please let me know! Thank you so much.
You can join searches many ways but almost all of them are subjected to the 50Kish event limit so beware this:
index=_internal source=*web_access.log* /app/ action=edit
| rex "/app/(?<app_name>.\w+)/(?<dashboard_name>.\w+)"
| table dashboard_name, _time, app_name, user
| append
[ search index=_audit action=search info=granted search=* NOT "search_id='scheduler" NOT "search='|history" NOT "user=splunk-system-user" NOT "search='typeahead" NOT "search='| metadata type=* | search totalCount>0"
| rex field=search "index=(?P<search_index>[^ ]+)"
| stats count by search_index
| sort - count
| table search_index user]
Hi eyaluodba,
Sure, read more about the topic in this answer https://answers.splunk.com/answers/129424/how-to-compare-fields-over-multiple-sourcetypes-without-jo... or in the Virtual .conf March 2016 session over here http://wiki.splunk.com/Virtual_.conf
For a start just combine your base searches:
( index=_internal source=*web_access.log* /app/ action=edit ) OR ( index=_audit action=search info=granted search=* NOT "search_id='scheduler" NOT "search='|history" NOT "user=splunk-system-user" NOT "search='typeahead" NOT "search='| metadata type=* | search totalCount>0" )
followed by any further commands you need to get to your required result.
Hope that helps ...
cheers, MuS
Thank you!
You can join searches many ways but almost all of them are subjected to the 50Kish event limit so beware this:
index=_internal source=*web_access.log* /app/ action=edit
| rex "/app/(?<app_name>.\w+)/(?<dashboard_name>.\w+)"
| table dashboard_name, _time, app_name, user
| append
[ search index=_audit action=search info=granted search=* NOT "search_id='scheduler" NOT "search='|history" NOT "user=splunk-system-user" NOT "search='typeahead" NOT "search='| metadata type=* | search totalCount>0"
| rex field=search "index=(?P<search_index>[^ ]+)"
| stats count by search_index
| sort - count
| table search_index user]
Thank you !