Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to populate column in results using two indexes?

splunker1981
Path Finder
‎03-11-2019 08:52 AM

Hello all -

Trying to figure out how to return the table below when using two index/sourcetypes. I'd like to do some eval by index and then check whether the respective index has an event so I can add yes | no to the respective column. The common field would be IP and either the IP will have both or one or the other defined. 

indexA
ip=1.1.1.1 app-id=3.09
ip=3.3.3.3 app-id=2.11

indexB
ip=1.1.1.1 rel=release39
ip=2.2.2.2 rel=release12

Desired Results
IP        Release    App-id
1.1.1.1   yes           yes
2.2.2.2   yes          no
3.3.3.3   no            yes
Tags (2)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-11-2019 09:13 AM

Hi splunker1981,
if you want to list all the IPs where there's at least Release=yes or App-id=yes, try something like this:

index=indexA OR index=indexB
| stats dc(rel) AS rel dc(app-id) AS app-id BY ip
| eval Release=if(rel>0,"yes","not"), App-id=if(app-id>0,"yes","not")
| rename ip AS IP
| table IP Release App-id

If you could have also both Release=not and App-id=not, you have to try something like this

index=indexA OR index=indexB
| stats dc(rel) AS rel dc(app-id) AS app-id BY ip
| eval Release=if(rel>0,"yes","not"), App-id=if(app-id>0,"yes","not")
| append [  search index=indexA NOT app-id=* | eval App-id="not" | fields ip App-id]
| append [  search index=indexB NOT rel=* | eval Release="not" | fields ip Release ]
| stats values(Release) AS Release values(App-id) AS App-id BY ip
| rename ip AS IP
| table IP Release App-id

Bye.
Giuseppe

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-31-2019 05:52 AM

Hi splunker1981,
if you're satisfied by this answer, please accept and/or upvote it.

Bye, see next time.
Giuseppe

0 Karma
Reply

chrisyounger
SplunkTrust
SplunkTrust
‎03-11-2019 08:58 AM

Does this do what you need?

index=indexA OR index=indexB 
| stats values(rel) as Release values(app-id) as "App-id" by ip
| rename ip as IP
0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...