I couldn't figure out how to do both searches in the same search, so running two separate searches and then joining them by "Systems" was a work around. I then take the daily search I did above and join it with the search I have in the panel: |where last_check > relative_time(now(), ip "OS" "Systems" I ended up running a daily search, like below (checks the entire keystore for the latest date within 30days and does a stats count). ![]() Specify a list of fields to remove from the search results. Return only the host and src fields from the search results. Specify a list of fields to include in the search results. To learn more about the fields command, see How the fields command works. Systems Total IP's in System Scans Total IP's of Systems %Seen_in_Scan The following are examples for using the SPL2 fields command. Heck, even adding another column adding a % overall seen would even be nice too (not sure how to do this): Is that possible? (above) I'm not sure how to accomplish this, it looks easy, but I've been messing around with it for too long. join uripath search earliest24h latest23h sourcetypeaccesscombined indexmain stats avg(response) AS AVG by uripath Using the join command, we join. Systems Total IP's in System Scans Total IP's of Systems Note: "| inputlookup scan_data.csv" has a roster of all of the IP's seen in scans. Below is a search that runs and gives me the expected output of total of all IP's seen in the scans by System: inputlookup scandata2.csv join typeinner inputlookup KVsystem where isnotnull (stuff) eval stuffsplit (stuff, 'delim. ![]() Note: "| inputlookup ips_of_systems.csv" has a roster of ALL the IP's seen, whether it's seen in a scan or not. I am trying to get data from two different searches into the same panel, let me explain. For example, System "XYZ" has a total of 10005 seen in system scans, BUT overall they have 12000 IP's (only 10005 of which are seen by scans). I would like to add a column that has the total number of servers by Systems whether it's seen in the scans or not. That search gives me something like this as output (as expected): |rename count as "Total IP's in System Scans" Below is a search that runs and gives me the expected output of total of all IP's seen in the scans by System: | eval memberOf="employed as ".mvindex(split("permanent,contractor",","),row%5).I am trying to get data from two different searches into the same panel, let me explain. | eval device_name=user.mvindex(split("WXYZ",""),row%4) You can run the separate parts to see the data and compare with the results to see that the only device / user combinations are neither known devices nor contractors. This run-anywhere example generates 100 rows with random ip addresses for 60 (3 * 5 * 4) user/device combinations, and removes the first 20 devices (assumed to be known by the company) and then removes a fifth of the users who are registered as being contractors. I think a couple of NOTs in the search since devices which are not in the company list and users who were not contractors. In addition, the lookup command is the same thing of a join with a lookup instead inputlookup. This solution has only one limit: you can have only until 50,000 results in subsearches, but with a lookup it shouldn't be a problem. The left-side dataset is the set of results from a search that is piped into the join. You can also combine a search result set to itself using the selfjoin command. Rename name AS device_name | fields device_name ] You can use the join command to combine the results of a main search (left-side dataset) with the results of either another dataset or a subsearch (right-side dataset). In your case: index=firewall vpn_connection=success [ | inputlookup AD_Computer_LDAP_list | Splunk isn't a DB (remember!) and you can have the above requirement using stats command.īut in your question, you need to filter a search using results from other two searches and it's a different thing: you cona use subsearches with the only attention to have the same field names in main and sub searches. ![]() Hi Splunk join is used to correlate two (or more ) searches using one or more common keys and take fields from both the searches. | table vice, er, connected.src_IPĪny way to avoid using joins and to simplify this would much appreciated! | join type=left left=connected right=contractor where er=er | rename vpn.user as user, vpn.device as device | table vpn.device_name, vpn.user, vpn.src_IP | join type=outer left=vpn right=AD where vpn.device_name=AD.name I want a table of users connected to the company VPN, who are not using a corporate device and who are not contractors. The first join is to find non-corporate devices and the second join is to find users who are not contractors.Ĭurrently the search looks something like this: I've read in other posts that using join in Splunk isn't great so I'm looking for a better way to do my search.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |