Splunk Search

Can I join fields output from two extensive search queries to create a list of fields on which I can run my final query to get desired result

vikfnu
Explorer

I am new to splunk and right now trying to create a dashboard for IT.
I have different csv file for AV, PAtch, Software Installed.
I am able to individually upload all the csv files into same index and perform search operation to calculate the AVNotInstalled_status, PatchNotInstalled_status, SoftwareInstalledExpired_status.
But when I want to combine the AV Patch and SW status fields by joining the search queries as I have written, I am not able to get the desired combination.

ANy help Appreciated.

P.S. I am new to the Splunk Help, Please let me know if I need to provide any more information, I cant share data or search queries due to confidentiality agreements

Tags (2)
0 Karma

DalJeanis
SplunkTrust
SplunkTrust

OKay, here is what you need to give us, at a minimum, for us to be able to help.

1) The format of each of the files, with non-confidential sample data. Mark them each with the code button (101 010) so they stay formatted the way you want them. You could also indent them by four or more spaces and that will work too.

2) What your current code is (mark it as code, same way.)

3) What your current output is (same).

If you understand your data, then you can get us non-confidential versions of it. You really need to break the problem down into a "toy" problem, with a minimum number of fields. The fields can be called "foo" and "bar", or "field1" and "field2", or "animal" and "flower", it doesn't matter.

Before you try to do that, go read my response on this one, which tells you somewhat how to think about writing splunk queries:

https://answers.splunk.com/answers/561130/how-to-join-two-tables-where-the-key-is-named-diff.html

0 Karma

vikfnu
Explorer

Hi @DalJeanis

I had raised another query before this one was answered. I have also added comments as you have suggested.
please refer to that query and provide me guidance.

https://answers.splunk.com/answers/676859/best-practice-for-uploading-csv-files-or-else-issu.html
0 Karma

vikfnu
Explorer

Hi @MuS can you have a look at my query and suggest me

0 Karma

MuS
SplunkTrust
SplunkTrust

Hi vikfnu,

without further and much more detailed information, it is impossible to help you. If you cannot share the search nor the data, then there is not much we can do ¯\_(ツ)_/¯

cheers, MuS

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...