Splunk Search

How to modify my stats search to join multiple fields from three sources?

davesullivan41
Engager

I have data coming in from three sources, with three different sets of fields:

Source 1: Filename
Source 2: Filename, Unique_Identifier
Source 3: Unique_Identifier

These sources all work with the same data, and the data flows from Source 1 to Source 2 to Source 3.

I would like to generate a report on data flowing through these three sources, and am trying to run stats to do so, e.g.

search query | stats range(_time)  by Unique_Identifier, Filename 

But this is only returning data from source 2 where both the Unique_Identifier and Filename fields both exist. Is there a good way to include records from Source 1 and Source 3 as well?

0 Karma
1 Solution

sundareshr
Legend

You could edit your current search to include Filename & Unique_Identifier to all 3 sources using eventstats like this

search query | eventstats values(Filename) as Filename by  Unique_Identifier | eventstats values(Unique_Identifier) as Unique_Identifier by Filename | stats range(_time)  by Unique_Identifier, Filename

View solution in original post

sundareshr
Legend

You could edit your current search to include Filename & Unique_Identifier to all 3 sources using eventstats like this

search query | eventstats values(Filename) as Filename by  Unique_Identifier | eventstats values(Unique_Identifier) as Unique_Identifier by Filename | stats range(_time)  by Unique_Identifier, Filename

davesullivan41
Engager

That seems to have worked, thanks!

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...