Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Trying to join multiple searches into one big output

lsulax
New Member
‎02-07-2019 08:54 AM

search |rename Name as Threat | stats count by Threat | sort -count

and

search |rename suser as User | stats count by User | sort -count

and

search | |rename dvchost as Host | stats count by Host | sort -count

the search is the same for all searches and I want the output to look like this:

Threat count User count Host count
PUP.Optional.ASK 36 CHollows 16 KVM 9974
PUM.Optional.DisableChromeUpdates 8 DFoghat 8 GIB 114
PUP.Optional.SuperOptimizer 4 AAerosmith 4 DWI 36
Exploit payload process blocked 1 FTelsa 4 STP 31

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

cvssravan
Path Finder
‎02-07-2019 10:08 AM

You haven't mentioned any common field to use join. If you still want to show them as you need, without any relation between the fields, you can go with "appendcols" See query below:

search..... |rename Name as Threat | stats count as ThreatCount by Threat | sort -ThreatCount |
appendcols [search ....|rename suser as User | stats count as UserCount by User | sort -UserCount ] |
appendcols [ search ..... |rename dvchost as Host | stats count as HostCount by Host | sort -HostCount]

Just changed the column names of count to make them unique

Hope this works

View solution in original post

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎02-07-2019 01:28 PM

You need multireport; try this:

search
| foreach Name suser dvchost [ eval <<FIELD>>=coalesce(<<FIELD>>, "NULL") ]
| stats count BY Name suser dvchost
| multireport
   [ stats sum(count) AS count BY Name    | sort 0 - count | rename Name AS Threat ]
   [ stats sum(count) AS count BY suser   | sort 0 - count | rename Name AS User ]
   [ stats sum(count) AS count BY dvchost | sort 0 - count | rename Name AS Host ]
Reply
Solved! Jump to solution
Solution

cvssravan
Path Finder
‎02-07-2019 10:08 AM

You haven't mentioned any common field to use join. If you still want to show them as you need, without any relation between the fields, you can go with "appendcols" See query below:

search..... |rename Name as Threat | stats count as ThreatCount by Threat | sort -ThreatCount |
appendcols [search ....|rename suser as User | stats count as UserCount by User | sort -UserCount ] |
appendcols [ search ..... |rename dvchost as Host | stats count as HostCount by Host | sort -HostCount]

Just changed the column names of count to make them unique

Hope this works

0 Karma
Reply
Solved! Jump to solution

adonio
Ultra Champion
‎02-07-2019 11:13 AM

I will highly recommend against this method, very heavy search and unnecessary subsearch. also take into consideration the subsearch limitations. read more here:
https://docs.splunk.com/Documentation/Splunk/7.2.3/Search/Aboutsubsearches#Subsearch_performance_con...

Reply
Solved! Jump to solution

adonio
Ultra Champion
‎02-07-2019 09:03 AM

try this:

... your search ... | stats count(Name) as Threats count(suser) as User count(dvchost) as Host ...
that will make your search more efficient and 1 search is enough. no join, no rename

hope it helps

Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...