![]() ![]() The following example appends the current results of the main search with the tabular results of errors from the subsearch. Union the results of a subsearch to the results of the main search | from mysecurityview | fields _time, clientip | union customers 3. The following example merges events from incoming search results with an existing dataset. Union events from an incoming set of search results You can also embed the union command in the from command by using a subsearch in the FROM clause expression: Search 1: index'internal' source'metrics.log' perindexthruput seriesautoshell hostlelsplunkix eval GBkb/ (10241024) timechart span12h sum (GB) as GB by series Results: (example - 500k+ rows returned) time raw sourcetype GB 07:04:33.307 ABC ship 0.0000264551490559 07:04:31.168 LMN rum 0. I would like to combine both searches into one. The log file for each platform unfortunately uses a different identifier for login behavior. | union customers, orders, vendors_lookup Hello, I am attempting to use Splunk to search two log files that hold activity for two platforms of an application 'IOS' & 'Android'. 'advisoryidentifier' shares the same values as sourcetype b 'advisory.advisoryidentifier'. Sourcetype A contains the field 'cvestrlist' that I want, as well as the fields 'criticalitydescription' and 'advisoryidentifier'. You must separate the dataset names with a comma. I need to join fields from 2 different sourcetypes into 1 table. The following example merges events from the customers and orders index datasets, and the vendors_lookup dataset. if its only to identify the flow, you could override host using the link I honted, so you can maintainal the knowledge objects related to the same sourcetype. To learn more about the union command, see How the union command works. I hope it's possible but maybe I'm reaching here.The following are examples for using the SPL2 union command. I've not found anything that can do what I'm trying to do. I've even tried to just duplicate the field and use the duplicate instead of the original and still no luck. I've tried replacing | stats max(AgentVer) with | eval TA=max(AgentVer), I've tried chart instead of stats, and etc. | eval Status=if(AgentVer=TA, "True","False")Īgain, the above are just examples of what I've tried. | eval Status=if(AgentVer=TAV, "True","False") Here's an example of what I have tried, but this is not exhaustive because I've tried 500 different ways. However the ciscosourcetype transform is not working, while the correct data is being sent to the correct index the sourcetype is not being changed. The ASA logs are sent to the other index as per ciscoindex. I've tried all kinds of ways to extract that version number and put it into its own field and then do the comparison and nothing I've tried works. The following works: The logs have the correct host name as per hosttransform. Where this gets complicated is when I try to isolate the latest version. The difference between an inner and a left (or outer) join is how the events are treated in the main search that do. All the data that are inserted into the Splunk are first judged by the inbuilt function of the software that categorizes it. ![]() Description: Indicates the type of join to perform. Descriptions for the join-options argument. I can get exactly what I need using the query below, but it needs to be manually updated every time the Agent version is updated. Use either outer or left to specify a left outer join. To explain in more detail: I'm wanting the query to use the latest version of the Trellix/McAfee Agent reported in Splunk and then compare that value against the full set and return True/False if the numbers match. My end goal is to create a query that produces a True/False (or equivalent) result for each value when compared to the max value of the same field. Also, I'm wanting to make it as future proof as possible so it "just works" with little need to update or modify. ![]() I'm wanting to avoid using saved searches and lookup tables as much if possible so it's easily maintainable by anyone on the team. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |