- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Compare data in two different sourcetypes
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I have two different sourcetypes src_a, src_b. There are some "transaction_id"'s in src_a, and "transaction_no" in src_b. Both are the same. Both sourcetypes belong to the same index.
I have to compare transaction_id in src_a, (transaction_no in src_b)whose status=complete in the src_b.
Please help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok, you probably need to clarify what type of comparison you want to do;
- you want to find all transaction_id in A whose corresponding transaction_no in B has status 'complete'
- you want to find all transaction_id in A who do NOT have a 'complete' status in B
- you want to find some ratio between the two
- your want to build (splunk)
transactionsto locigcally group events from A & B
Here are some idea anyway;
Create a common field between the sources and create a transaction based on that.
source=A OR source=B | eval transX = coalesce(transaction_id, transaction_no) | transaction transX
Find events in A that do not have a 'complete' in B
source=A NOT [search source=B status="complete" | rename transaction_no AS transaction_id | fields + transaction_id]
hope this helps,
K
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Extending answer by Kristian, if you need all the fields from src_a and src_b for a transaction whose status=complete in src_b, you can use join.
sourcetype=src_a | join transactionId [search sourcetype=src_b status="complete" | rename transaction_no as transaction_id]
if you just want fields from src_a, this is little faster way.
sourcetype=src_a | join transactionId [search sourcetype=src_b status="complete" | stats count by transaction_no | fields - count| rename transaction_no as transaction_id]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank u somesoni for ur time!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok, you probably need to clarify what type of comparison you want to do;
- you want to find all transaction_id in A whose corresponding transaction_no in B has status 'complete'
- you want to find all transaction_id in A who do NOT have a 'complete' status in B
- you want to find some ratio between the two
- your want to build (splunk)
transactionsto locigcally group events from A & B
Here are some idea anyway;
Create a common field between the sources and create a transaction based on that.
source=A OR source=B | eval transX = coalesce(transaction_id, transaction_no) | transaction transX
Find events in A that do not have a 'complete' in B
source=A NOT [search source=B status="complete" | rename transaction_no AS transaction_id | fields + transaction_id]
hope this helps,
K
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thnx kolb & somesoni !!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
