Splunk Search

How to join two searches and table it?

janitka
Explorer

Hello,

I'm trying to join two searches, and i need to use host in the other one, to be able to table it by DesktopGroupName and installed apps. (| table host DisplayName DisplayVersion DesktopGroupName)

host = MachineName, that fields contains same values, in same format.

index = "windows" sourcetype="Script:InstalledApps" - host used
sourcetype="xendesktop:7:machine" xd_index - MachineName used

I can do advanced dashboards, but never tried to do this, any help appreciated.

Jan

Tags (1)
0 Karma

janitka
Explorer

Found the solution.

index = "windows" sourcetype="Script:InstalledApps" | join host [ search sourcetype="xendesktop:7:machine" | eval host=MachineName ]
| table MachineName DesktopGroupName DisplayName DisplayVersion

0 Karma

gcusello
SplunkTrust
SplunkTrust

HI @janitka,
what's the relation between the two searches? I don't see common fields.
If the common field is host you can use something like this:

(index = "windows" sourcetype="Script:InstalledApps" host="$MachineName$") OR (sourcetype="xendesktop:7:machine" 'xd_index' MachineName="$XXX$")
| stats values(DisplayName) AS DisplayName values(DisplayVersion) AS DisplayVersion values(MachineName) AS MachineName values(DesktopGroupName) AS DesktopGroupName BY host

Ciao.
Giuseppe

0 Karma

janitka
Explorer

values returned for host are the same and in same format as for MachineName.. so i would like to use host=$variable$ to be passed to the other source, MachineName, to display DesktopGroupName, from xendesktop... joining two searches into one panel, as i can do it for each search alone.

0 Karma

gcusello
SplunkTrust
SplunkTrust

HI @janitka,
Ok try this

 (index = "windows" sourcetype="Script:InstalledApps" ) OR (sourcetype="xendesktop:7:machine" 'xd_index' MachineName="$XXX$") host="$MachineName$"
 | stats values(DisplayName) AS DisplayName values(DisplayVersion) AS DisplayVersion values(MachineName) AS MachineName values(DesktopGroupName) AS DesktopGroupName BY host

Ciao.
Giuseppe

0 Karma

gcusello
SplunkTrust
SplunkTrust

HI @janitka,
join isn't a performant command, I hint you to explore an approach as the one described in my solution.
Ciao.
Giuseppe

0 Karma

janitka
Explorer

hello,

your search is resulting in bellow

https://imgur.com/d6u6Dxm

because for the second source, host is used for server names, in first for every machine.

When i sort it by MachineName, and not host, i miss DisplayName and DisplayVersion.

Regards,
Jan

0 Karma

gcusello
SplunkTrust
SplunkTrust

HI @janitka,
I don't like join because it's slow, try something like this:

(index = "windows" sourcetype="Script:InstalledApps") OR sourcetype="xendesktop:7:machine"
| eval host=if(sourcetype="Script:InstalledApps",MachineName,host)
| stats values(MachineName) AS MachineName values(DesktopGroupName) AS DesktopGroupName values(DisplayName) AS DisplayName values(DisplayVersion) AS DisplayVersion BY host
| table MachineName DesktopGroupName DisplayName DisplayVersion

Ciao.
Giuseppe

0 Karma

gcusello
SplunkTrust
SplunkTrust

HI @janitka,
could you share your two searches?

Ciao.
Giuseppe

0 Karma

janitka
Explorer

Important stuff is in this topic, one search is
index = "windows" sourcetype="Script:InstalledApps" host="$MachineName$" | table host DisplayName DisplayVersion

other one
sourcetype="xendesktop:7:machine" 'xd_index' MachineName="$XXX$" | table MachineName DesktopGroupName

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...