![]() ![]() Just checking back since a good amount of time is spent and now running out of time. Note: rrelationId is a json format hence used that way.Īppreciate your help and response here. | where mvcount(sourcetype)=1 AND sourcetype="app_log" How can we join two sourcetypes together that have. | stats values(_time) as _time values(sourcetype) as sourcetype by rrelationId For your particular situation, I dont think join is necessary. This is because join is expensive and clunky, although it can achieve the desired results. Index=qa_source sourcetype=app_log OR sourcetype=temp_log The rule of thumb in Splunk is: 'When possible, avoid the use of join unless its absolutely necessary'. Below is the query and could you please suggest further. Though below is the query i am using based on suggestions, i am still not able to display in tabluar format with missing correlation ids, also i need to put the timestamp from a1. (sourcetypeA 'Hostile Conditions') OR (sourcetypeB sourceip'Hostile IP') This gets all the data in one big pile. ago Maybe this approach could help, I've found rather than going to tables and then joining that you can just grab everything & count the distinct sourcetypes. My query has to be more generic which should accept to query for all correlation ids(*) orĪ particular corrl id(123) and has to go for a search in two index source types and has to return the list of missing ids which are in a1 but not in a2. 5 5 comments Best Add a Comment statspadford Counter Errorism 2 yr. Also, I'm wanting to make it as future proof as possible so it 'just works' with little need to update or modify. ![]() fields source, sourcetype, host, error See also fields command fields. I'm wanting to avoid using saved searches and lookup tables as much if possible so it's easily maintainable by anyone on the team. I will get '*' which is for all correlation id in last 24 hrs or any time frame set in splunk dashboard or a particular correlation id as input from the top level text box,Ģ. One way Splunk can combine multiple searches at one time is with the append. Just wanted to put few more points based on my requirement, I spent lot of time but still could not follow correct steps.ġ. I was looking for map and append, but no success avail.Appreciate your quick response, Thank you!. index1idx1 sourcetypesrc dedup A join typeouter A search indexidx2 sourcetypesrc dedup A. This is slow and subject to a limit of 50,000 results. Is there any other possible way to achieve the results. 2 Answers Sorted by: 0 If there are fields common to both event types then you can use a left join to combine the data. But if the ticket is not found, it should leave it empty. Which means that if the same ticket is found, it can combine the values. Ticket | Main_Ticket | Value | Line |Linespecs | Linedescription | OtherĬ2995A001 | C2995A | DTS | X2 | "Some Text" | "Some other Text" | otherĬ2995B002 | C2995B | DTS | X2 | "Some Text" | "Some other Text" | other index="index1" sourcetype="Sourcetype_A" OR sourcetype="Sourcetype_B" Ticket="C2995*" | dedup Ticket | join type=left |table Ticket, Main_Ticket, Value, Line, Linespecs, Linedescription, Other Therefore, I tried to use the left join but it is not giving all the results. Help joining two different sourcetypes from the same index that both have a.I. Ticket | Linespecs | Linedescription | OtherĬ2995A001 | "Some Text" | "Some other Text" | otherĬ2995B002 | "Some Text" | "Some other Text" | otherĪ8743B002 | "Some Text" | "Some other Text" | other Using Splunk: Splunk Search: join search with condition erid. Ticket | Main_Ticket | Value | Line | LinkedTicketĬ2995A | C2995A | DPU | L1 | Z4563A$Z4575A set diff search indexidx2 sourcetypesrc dedup A search indexidx1 sourcetypesrc dedup A stats count BY index A table index A. basically equivalent of set operation a+ (b-a). ![]() ![]() If found, I need to check if it is available in SourceType_C as well and extract the values "Linespecs, Linedescription, Other" from SourceType_C. Ive to combine the data in such a way that if there is duplicate then the data from idx1 must be prioritized over data from idx2 i.e. I am trying to check a certain a ticket-series in Sourcetype_A or Sourcetype_B. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |