Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Looking for field values present in one index missing from another index?

djconroy
Path Finder
‎04-21-2015 01:28 PM

I have one index with a field "MessageId" that is common with another index.

I need to got through all the values of MessageId in index1, and then search index2 to make sure they are also there.

I was trying to use an outer join to do this with the following syntax:

search index=index1
sourcetype=sourcetype1 Function=SubscriberFunction ClockTypeId=1 OR ClockTypeId=2 earliest=-5d@d latest=-4d@d
| eval ClockPunchID=MessageId
| eval Status1="Received"
| join ClockPunchID type=outer [search index=index2 * | eval ClockPunchID=MessageId | eval Status2 = "Received" ]
| eval Status = if(match(Status1,Status2), "Complete", "Incomplete")
| table ClockPunchID ClockTypeId Status1 Status2 Status

The problem I am getting is I get no results at all from my index2 search. All values of Status2 are blank. If I manually copy and paste the subsearch syntax into a separate search window I get exactly what I would expect, but as part of a join I get nothing, only the index1 results.

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎04-21-2015 01:41 PM

So, you have the field MessageId extracted in both indexes and want to know what values are in only one index and what values are in both? Try this:

  (index=index1 sourcetype=sourcetype1 Function=SubscriberFunction ClockTypeId=1 OR ClockTypeId=2) OR (index=index2)
| stats values(index) as indexes values(ClockTypeId) as ClockTypeId by MessageId
| eval Status = if(mvcount(indexes)==2, "Complete", "Incomplete")
| rename MessageId as ClockPunchID

View solution in original post

Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎04-21-2015 01:41 PM

So, you have the field MessageId extracted in both indexes and want to know what values are in only one index and what values are in both? Try this:

  (index=index1 sourcetype=sourcetype1 Function=SubscriberFunction ClockTypeId=1 OR ClockTypeId=2) OR (index=index2)
| stats values(index) as indexes values(ClockTypeId) as ClockTypeId by MessageId
| eval Status = if(mvcount(indexes)==2, "Complete", "Incomplete")
| rename MessageId as ClockPunchID
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎04-21-2015 02:22 PM

Append this to only keep events that exist in index1 or both:

... | search indexes="index1"

That's translated into "the multi-valued field indexes contains the value index1".

Reply
Solved! Jump to solution

djconroy
Path Finder
‎04-21-2015 02:42 PM

Great, thank you!

0 Karma
Reply
Solved! Jump to solution

djconroy
Path Finder
‎04-21-2015 02:14 PM

That is getting me close... but there is a delay in the Messages getting to Index2, which can skew results. I'm not really concerned if they are in index2 but not in index1. Is there a way to filter out occurrences where the MessageId exists in index2 but not index1?

0 Karma
Reply
Get Updates on the Splunk Community!

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...