Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Looking to add a field from another searched index to a finished table

psomeshwar
Path Finder
‎03-19-2024 11:29 AM

Currently, I have two tables

Table1

hostnames        vendors              products          versions
host1                   vendor1              product1         version1
host2                   vendor2              product2         version2
host3                   vendor3              product3         version3
host4                   vendor4              product4         version4

Table2

device.hostname        device.username
HOST1                                user1
HOST2                                user2
HOST3                                user3
HOST4                                user4

The table that I want to generate from these two is the following:

Table3

hosts        username      vendors              products          versions
host1                 user1              vendor1              product1         version1
host2                 user2              vendor2              product3         version4
host3                 user3              vendor3              product3         version3
host4                 user4              vendor4              product4         version4

 

The search I tried was the following:

 

(index=index1 sourcetype=sourcetype1) OR (index=index2 sourcetype=sourcetype2)
| rename device.hostname as hostname
| rename device.username as username
| eval hosts = coalesce(hostnames, hostname)
| table hosts, username, vendors, products, versions

 

The result was the following:

hosts        username      vendors              products          versions
host1                                  vendor1              product1         version1
host2                                  vendor2              product3         version4
host3                                  vendor3              product3         version3
host4                                  vendor4              product4         version4
HOST1      user1
HOST2      user2
HOST3      user3
HOST4      user4

host1 and HOST1 both reference the same hostname, just one index had the letters capitalized and the other did not.

Does anyone have any ideas?

Labels (4)
Labels
0 Karma
Reply

marnall
Builder
‎03-19-2024 12:20 PM

Try this:

(index=index1 sourcetype=sourcetype1) OR (index=index2 sourcetype=sourcetype2)
| rename device.hostname as hostname
| rename device.username as username
| eval hosts = lower(hosts)
| stats values(*) as * by hosts
| table hosts, username, vendors, products, versions

 

0 Karma
Reply

psomeshwar
Path Finder
‎03-19-2024 12:27 PM

So, I tried your solution and the result was:


hosts        username      vendors              products          versions
host1                 user1      
host2                 user2     
host3                 user3     
host4                 user4      

Also, I'm assuming you meant for the search to look like this:

(index=index1 sourcetype=sourcetype1) OR (index=index2 sourcetype=sourcetype2) | rename device.hostname as hostname | rename device.username as username | eval hosts = coalesce(hostnames, hostname) | eval hosts = lower(hosts) | stats values(*) as * by hosts | table hosts, username, vendors, products, versions

Otherwise, the search wouldn't yield any results

0 Karma
Reply

marnall
Builder
‎03-19-2024 12:56 PM

Ack, seems I forgot to rename the hostname field to hosts, thus ruining the stats.

(index=index1 sourcetype=sourcetype1) OR (index=index2 sourcetype=sourcetype2)
| rename device.hostname as hosts
| rename device.username as username      
| eval hosts = lower(hosts)
| stats values(*) as * by hosts
| table hosts, username, vendors, products, versions

The trick is to get the hosts values (e.g. HOST1 and host1) to be in the same case (hence the lower()), then if you do "stats values(*) as * by host" , then it will put together all the values for the other columns on one row for each unique value of hosts. One for host1, one for host2, and so on.

 

 

0 Karma
Reply

psomeshwar
Path Finder
‎03-19-2024 01:02 PM

When trying this, the result was the same as the previous attempt, only the hosts and username fields populating

0 Karma
Reply

marnall
Builder
‎03-19-2024 01:10 PM

This could be caused because the host values are not becoming equal. Could you try your initial search but with the "| eval hosts = lower(hosts)" command at the end?

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...