Splunk Search

How do I run these two searches at the same time and compare fields extracted with rex for similarities?

raby1996
Path Finder

Hello all,

I have two searches (shown below) where in the first, I extract two fields Code and Serial, and in the second, I search for specific events that contain the problem number PMN 23, and the field extracted is called PMN (1st field extracted from 2nd search) that ranges across multiple reporting serial (2nd field extracted from 2nd search) , I would like to compare the Serial and reporting serial fields from the two searches for similarity, and then keep only the ones that match and put them in a table/stat (whatever works really). However, I'm having problems running the two searches concurrently and comparing. Is there any way that I can do this?
Thank you

Search 1

| search index=* sourcetype=CodeLevels "Code Levels" 
| rex  "(?<Code>.*),(?<Serial>.*)"

Search 2

|search index=* sourcetype=syslog "PMN 23"
| rex "(?<PMN>.*),(?<reporting serial>.*)"
0 Karma
1 Solution

lguinn2
Legend

You could do this

index=* (sourcetype=CodeLevels "Code Levels") OR (sourcetype=syslog "PMN 23")
| rex  "(?<Code>.*),(?<Serial>.*)"
| eval PMN=if(sourcetype=="syslog",Code,null())
| eval Code=if(sourcetype=="CodeLevels",Code,null())
| stats count values(Code) as Code values(PMN) as PMN by Serial
| where count > 1 AND isnotnull(Code) AND isnotnull(PMN)

That's just one search, so it is more efficient too. It is not testing for "similar" value of Serial and "reporting serial", but an exact match.
What would you consider "similar?"

View solution in original post

lguinn2
Legend

You could do this

index=* (sourcetype=CodeLevels "Code Levels") OR (sourcetype=syslog "PMN 23")
| rex  "(?<Code>.*),(?<Serial>.*)"
| eval PMN=if(sourcetype=="syslog",Code,null())
| eval Code=if(sourcetype=="CodeLevels",Code,null())
| stats count values(Code) as Code values(PMN) as PMN by Serial
| where count > 1 AND isnotnull(Code) AND isnotnull(PMN)

That's just one search, so it is more efficient too. It is not testing for "similar" value of Serial and "reporting serial", but an exact match.
What would you consider "similar?"

raby1996
Path Finder

Sorry should have been more clear, by similar I mean exact match, and thank you!

0 Karma

edrivera3
Builder
index=blabla | my_search_request OR [index=blabla2 | my_search_request_2]
0 Karma

lguinn2
Legend

Can you explain this answer? I don't understand what my_search_request would look like, so I am unclear how this solution would work. Thanks!

0 Karma

edrivera3
Builder

I thought that raby1996 only needed to know how to run two searches at the same time. Please excuse me if anyway I caused any confusion. I see that your answer used also the Boolean operator OR, but your answer is very complete definitely.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...