Association same field and of sourcetype different

RichPierre · ‎03-31-2014

Good evening,
I have a question:
I have a sourcetype A with a field "ip" and a "name"
I have a sourcetype B with a field "ip" and a "name"
I shall like knowing if you know how to associate the identical fields at the level of the ip and whose name is different.
Knowing that I have no access to the limit.config file and that every sourcetype has more than 70 000 fields.

Cordially

martin_mueller · ‎03-31-2014

As a first jab, take a look at this:

sourcetype=A OR sourcetype=B | stats values(name) as names dc(sourcetype) as sourcetypes by ip | where sourcetypes>1

Whether that's anywhere near what you're looking for depends on what you're looking for.

martin_mueller · ‎04-01-2014

To also add the date into the stats and filter only those with differing names you can do this:

sourcetype=A OR sourcetype=B | stats values(name) as names dc(sourcetypes) as sourcetypes by ip date | where sourcetypes>1 AND mvcount(names)>1

RichPierre · ‎04-01-2014

It's true, that finally it is simple. But I had badly analyzed the thing. Indeed, I make a request accelerated to get back the information.
I thus find myself with this :
Ip | name | date | sourcetype
1. 192.168.1.45 max 2014/03/05 A
2. 192.1681.1.89 bob 2014/03/05 A
3. 192.168..45 john 2014/03/05 B
4. 192.168.1.89 bob 2014/03/05 B

I want the people who have same Ip but who the same day have same no same sourcetype and name. Is it possible? Cordially.

somesoni2 · ‎03-31-2014

What kind of association you're looking for? What should be the final output from these two sourcetype? You can use join for some requirements.

Association same field and of sourcetype different

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!