Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Trying to join multiple searches into one big output

lsulax
New Member
‎02-07-2019 08:54 AM

search |rename Name as Threat | stats count by Threat | sort -count

and

search |rename suser as User | stats count by User | sort -count

and

search | |rename dvchost as Host | stats count by Host | sort -count

the search is the same for all searches and I want the output to look like this:

Threat count User count Host count
PUP.Optional.ASK 36 CHollows 16 KVM 9974
PUM.Optional.DisableChromeUpdates 8 DFoghat 8 GIB 114
PUP.Optional.SuperOptimizer 4 AAerosmith 4 DWI 36
Exploit payload process blocked 1 FTelsa 4 STP 31

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

cvssravan
Path Finder
‎02-07-2019 10:08 AM

You haven't mentioned any common field to use join. If you still want to show them as you need, without any relation between the fields, you can go with "appendcols" See query below:

search..... |rename Name as Threat | stats count as ThreatCount by Threat | sort -ThreatCount |
appendcols [search ....|rename suser as User | stats count as UserCount by User | sort -UserCount ] |
appendcols [ search ..... |rename dvchost as Host | stats count as HostCount by Host | sort -HostCount]

Just changed the column names of count to make them unique

Hope this works

View solution in original post

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎02-07-2019 01:28 PM

You need multireport; try this:

search
| foreach Name suser dvchost [ eval <<FIELD>>=coalesce(<<FIELD>>, "NULL") ]
| stats count BY Name suser dvchost
| multireport
   [ stats sum(count) AS count BY Name    | sort 0 - count | rename Name AS Threat ]
   [ stats sum(count) AS count BY suser   | sort 0 - count | rename Name AS User ]
   [ stats sum(count) AS count BY dvchost | sort 0 - count | rename Name AS Host ]
Reply
Solved! Jump to solution
Solution

cvssravan
Path Finder
‎02-07-2019 10:08 AM

You haven't mentioned any common field to use join. If you still want to show them as you need, without any relation between the fields, you can go with "appendcols" See query below:

search..... |rename Name as Threat | stats count as ThreatCount by Threat | sort -ThreatCount |
appendcols [search ....|rename suser as User | stats count as UserCount by User | sort -UserCount ] |
appendcols [ search ..... |rename dvchost as Host | stats count as HostCount by Host | sort -HostCount]

Just changed the column names of count to make them unique

Hope this works

0 Karma
Reply
Solved! Jump to solution

adonio
Ultra Champion
‎02-07-2019 11:13 AM

I will highly recommend against this method, very heavy search and unnecessary subsearch. also take into consideration the subsearch limitations. read more here:
https://docs.splunk.com/Documentation/Splunk/7.2.3/Search/Aboutsubsearches#Subsearch_performance_con...

Reply
Solved! Jump to solution

adonio
Ultra Champion
‎02-07-2019 09:03 AM

try this:

... your search ... | stats count(Name) as Threats count(suser) as User count(dvchost) as Host ...
that will make your search more efficient and 1 search is enough. no join, no rename

hope it helps

Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...