- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to combine two different searches?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am looking to grab the data that fall under two completely different searches.
I have these two searches.
index="A"
| iplocation src
| search Country!="country1" status=200
| bucket _time span=1m
| stats count by _time, usr1
| where count > 25
AND
sourcetype="B"
| bucket _time span=1m
| stats count by _time, usr2
| where count > 25
I want to combine them. Here is what I have so far but it doesn't pull up the data.
index="A" OR sourcetype="B"
| eval id=case(index="A", "usr1", sourcetype="B", "usr2")
| iplocation src
| search Country!="country1" status=200
| bucket _time span=1m
| stats count by _time, id
| where count > 25
sourcetype="B" does not contain iplocation or country information. This, I believe, is the issue.
I have tried subsearches, join, append, etc...
Any advise is appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Give this a try
index="A" OR sourcetype="B" status=200
| eval id=case(index="A", "usr1", sourcetype="B", "usr2")
| eventstats values(src) as src1 by id | eval src=coalesce(src,src1)
| iplocation src
| search Country!="country1"
| bucket _time span=1m
| stats count by _time, id
| where count > 25
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Give this a try
index="A" OR sourcetype="B" status=200
| eval id=case(index="A", "usr1", sourcetype="B", "usr2")
| eventstats values(src) as src1 by id | eval src=coalesce(src,src1)
| iplocation src
| search Country!="country1"
| bucket _time span=1m
| stats count by _time, id
| where count > 25
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Awesome. It worked. Can you explain why?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The eventstats was the trick. After | eval id=case(, you'll a common field between both index=A and sourcetype=B. Using this common field, the eventstats added the src to events in sourcetype=B where it was not earlier. After that since src was available in all events now, iplocation and Country based filter worked.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ahhh. Makes sense now. Thank you.
Introducing Splunk Enterprise 9.2
Adoption of RUM and APM at Splunk
Routing logs with Splunk OTel Collector for Kubernetes
