splunk search combine different sources

selvam_sekar · ‎01-04-2024

Hi,

I have the below scenario. please could you help?

spl1:

index=abc  sourcetype=1.1 source=1.2  "downstream"  "executioneid=*"

spl2:

index=abc  sourcetype=2.1 source=2.2 "do not write to downstream" "executioneid=*"

both the spl uses the same index and they have the common field called executionid. some execution ids are designed not to go to downstream application in the flow. I want to combine these two spl based on the executioneid

gcusello · ‎01-04-2024

Hi @selvam_sekar,

you can correlate the two searches using the stats command, something like this:

index=abc ((sourcetype=1.1 source=1.2  "downstream") OR (sourcetype=2.1 source=2.2 "do not write to downstream")) "executioneid=*"
| stats 
   values(sourcetype) AS sourcetype
   values(source) AS source
   BY executioneid

you can also add conditions e.g. the presence in both the sourcetypes or only in one of them.

Ciao.

Giuseppe

isoutamo · ‎01-05-2024

Hi

there are excellent presentations kept on .conf about joining data sets without join.

e.g. https://conf.splunk.com/watch/conf-online.html?search=PLA1528B#/

r. Ismo

splunk search combine different sources

subsearch

Index This | I’m short for "configuration file.” What am I?

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Your Guide to SPL2 at .conf24!