Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Having source ip from 3 sourcetypes, how do I combine them all in one field and table the results?

esmonder
Path Finder
‎10-11-2017 12:32 AM

I have source ips from 3 different log sources with 3 different field names.
I want to have all the values from the 3 sources to come under one (new) field so that i can table the new field for a dashboard
here is what i have done with coalesce, but doesn't seem to give me what i want.

(sourcetype=eStreamer priority=high) OR (sourcetype=incapsula CEF_Severity>=7) OR (sourcetype="symantec:ep:security:file"  severity=critical)
| iplocation src_ip 
| iplocation Source_address 
| iplocation src 
| where Country="Israel" 
| eval my_src_ip = coalesce(src_ip, Source_address,src)
| table _time, my_src_ip

src_ip and src has 21 values each, src has 4 values. but my_src_ip only has 4 values, where i should be expected 46 values
Obviously coalesce is the wrong command to use, but please point in the right direction! Thank you

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎10-11-2017 12:53 AM

Hi esmonder,
you can use coalesce function

 (sourcetype=eStreamer priority=high) OR (sourcetype=incapsula CEF_Severity>=7) OR (sourcetype="symantec:ep:security:file"  severity=critical)
| eval my_src_ip=coalesce(src, src_ip, Source_address)
| iplocation my_src_ip 
| where Country="Israel" 
| table _time, my_src_ip

Bye.
Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎10-11-2017 12:53 AM

Hi esmonder,
you can use coalesce function

 (sourcetype=eStreamer priority=high) OR (sourcetype=incapsula CEF_Severity>=7) OR (sourcetype="symantec:ep:security:file"  severity=critical)
| eval my_src_ip=coalesce(src, src_ip, Source_address)
| iplocation my_src_ip 
| where Country="Israel" 
| table _time, my_src_ip

Bye.
Giuseppe

Reply
Solved! Jump to solution

harsmarvania57
Ultra Champion
‎10-11-2017 12:38 AM

Try this 

(sourcetype=eStreamer priority=high) OR (sourcetype=incapsula CEF_Severity>=7) OR (sourcetype="symantec:ep:security:file"  severity=critical)
 | rename src_ip as src, Source_address as src
 | iplocation src 
 | where Country="Israel" 
 | table _time, src
0 Karma
Reply
Get Updates on the Splunk Community!

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...