Monitoring Splunk

Can you help me with my subsearch?

jip31
Motivator

Hello

I tried to combine the first query (before | append) with the subsearch ( [ search index=.........) but it doesn't work.
could you help me please??

eventtype="AppliEV" Name="'*'" (Level=1 OR Level=3) | dedup _time Name 
| stats dc(_time) as Erreurs by Name host
| rename Name as Application

| append
    [ search index="ai-wkst-windows-fr" sourcetype=WinRegistry key_path="\\registry\\machine\\software\\wow6432node\\xx\master\\WindowsVersion" 
    | eval OS=if(key_path=="\\registry\\machine\\software\\wow6432node\\xx\\master\\WindowsVersion",data, null)
  ] 

| table _time host Name Level EventCode OS
| rename Name as Application 
| sort -_time
Tags (1)
0 Karma
1 Solution

inventsekar
Ultra Champion

As per my understanding of "append" command, we have to keep the rows same (or the list of fields) on both searches..

(A bit modified version.. you may need to edit)

eventtype="AppliEV" Name="'*'" (Level=1 OR Level=3) | dedup _time Name 
 | stats dc(_time) as Erreurs by Name host
 | append
        [ search index="ai-wkst-windows-fr" sourcetype=WinRegistry 
         key_path="\\registry\\machine\\software\\wow6432node\\xx\master\\WindowsVersion" 
        | stats dc(_time) as Erreurs by Name host
        ] 
 | table _time host Name Level EventCode OS
 | rename Name as Application 
 | sort -_time

View solution in original post

0 Karma

jip31
Motivator

Hi it doesnt works no _time, eventcode, level and OS event...

0 Karma

inventsekar
Ultra Champion

As per my understanding of "append" command, we have to keep the rows same (or the list of fields) on both searches..

(A bit modified version.. you may need to edit)

eventtype="AppliEV" Name="'*'" (Level=1 OR Level=3) | dedup _time Name 
 | stats dc(_time) as Erreurs by Name host
 | append
        [ search index="ai-wkst-windows-fr" sourcetype=WinRegistry 
         key_path="\\registry\\machine\\software\\wow6432node\\xx\master\\WindowsVersion" 
        | stats dc(_time) as Erreurs by Name host
        ] 
 | table _time host Name Level EventCode OS
 | rename Name as Application 
 | sort -_time
0 Karma

jip31
Motivator

Hi it doesnt works no _time, eventcode, level and OS event...

0 Karma

inventsekar
Ultra Champion

i am not sure, but, lets check this - try to return the same table fields from append back to the original search.

 eventtype="AppliEV" Name="'*'" (Level=1 OR Level=3) | dedup _time Name 
 | stats dc(_time) as Erreurs by Name host
 | rename Name as Application
  | append
     [ search index="ai-wkst-windows-fr" sourcetype=WinRegistry key_path="\\registry\\machine\\software\\wow6432node\\xx\master\\WindowsVersion" 
     | eval OS=if(key_path=="\\registry\\machine\\software\\wow6432node\\xx\\master\\WindowsVersion",data, null) 
 | table _time host Name Level EventCode OS
   ] 

 | table _time host Name Level EventCode OS
 | rename Name as Application 
 | sort -_time
0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...