Splunk Search

How to combine the results of my different searches?

nschacht123
New Member

How do I merge search results for this problem:

Search 1 contains Field A, Search 2 contains Field B. Want to merge searches by host, time, and Field A = Field B

What I have so far is:

index =index value sourcetype = sourcetype value host=host value "Search 1" OR "Search 2" |transaction host startswith="Search1" endswith="Search2" maxspan=3s

Gets me sorta close, but I still have a mismatch with Field A and Field B.

I need correlate the results of the searches by host, time, Field A and Field B matching.

Any ideas?

0 Karma

lguinn2
Legend

Try this:

 index=myIndex sourcetype=aSourcetype host=xyzHost "Search1" OR "Search2"
| newField = coalesce(FieldA,FieldB)
| transaction host newField startswith="Search1" endswith="Search2" maxspan=3s

You might not need the startswith="Search1" endswith="Search2"

0 Karma

nschacht123
New Member

Not what I was looking for.

0 Karma

lguinn2
Legend

Sorry, your syntax is very confusing to me. Do you mean:

index=myIndex sourcetype=aSourcetype host=xyzHost "Search1" OR "Search2"
| transaction host startswith="Search1" endswith="Search2" maxspan=3s

Also, are there many results for "Search1" and "Search2" for each host?

0 Karma

nschacht123
New Member

Yes that is the correct syntax. Although I don't know if I'm on the right trail. There won't be too many results for each search.

Basically I have logs from a device. I'm trying to merge searches from two different sections of the logs. Search 1 shows a trigger for a channel. Search 2 shows the result of that trigger. There is a field in Search 1 (FieldA) that has the channel ID. Search 2 has a field (FieldB) that has the channel ID. Since host is the same for both searches, using the transaction command combines the logs by host, but Field A and Field B are all mixed up.

I have the 2 searches:

index=myIndex sourcetype=asourcetype host=xyzHost "Search 1"
Result contains Field A which is equal to A-Z
index=myIndex sourcetype=asourcetype host=xyzHost "Search 2"
Result contains Field B which is equal to A-Z

I want to merge to one transaction. I have no problem with host since it is the same field, but how do I handle Field A and Field B?

I want the combined search to show me logs where the hosts are the same and Field A and Field B match.

Does that make any sense???

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...