Splunk Search

How can I filter out unique values from a shared field across multiple queries using subsearch?

rlough
Path Finder

Hello,

I currently have two queries which both have the same field. Is there a way, using subsearch, to filter out any values that are not in both queries?

Here's what I currently have, but does not work as expected:

source=src1.log join SHARED_FIELD [search source=src2.log]

Thank you in advance!

Example Data:

src1
SHARED_FIELD=blah
SHARED_FIELD=blah2
SHARED_FIELD=blah3

src2
SHARED_FIELD=blah
SHARED_FIELD=blah3
SHARED_FIELD=blah4

Result from query:

SHARED_FIELD=blah
SHARED_FIELD=blah3
Tags (2)
0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

Try this slightly different approach:

source=src1.log OR source=src2.log | eventstats dc(source) as source_count by SHARED_FIELD | where source_count = 1

View solution in original post

martin_mueller
SplunkTrust
SplunkTrust

Try this slightly different approach:

source=src1.log OR source=src2.log | eventstats dc(source) as source_count by SHARED_FIELD | where source_count = 1

martin_mueller
SplunkTrust
SplunkTrust

Use | where source_count = 2 then.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Sure, any combination of filters is possible. Just make sure you get the parentheses right to apply the filter for source one only to source one.

0 Karma

rlough
Path Finder

Hey, I just realized that this is only keeping unique values. I actually want to filter those out so that only fields in both sources are recorded. Is there a similar function to dc() that does this?

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

That means there is no value for SHARED_FIELD that only exists in one source?

0 Karma

rlough
Path Finder

Is there any way to add extra tags to the searches?
ie
(source=src1.log TAG1=TAG) OR (source=src2.log "some matching text") | eventstats dc(source) as source_count by SHARED_FIELD | where source_count = 1

0 Karma

rlough
Path Finder

Oh, I figured it out! I needed to include the index for the search at the beginning of the query, whoops.

Thanks for the help!

0 Karma

rlough
Path Finder

Nope, doesn't seem to be working. I'm still getting 0 events found.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...