Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Evalute results based on like-fields from two different indexes?

jl19
Explorer
‎08-16-2017 12:04 PM

I have entries in IndexA that I want to find failures for. However, if IndexB has an entry with the same field and is a 'success' entry then I want to exclude it from the results entirely.

Example:
IndexA
Entry1
- Result: Failure
- ID: 1
Entry2
- Result: Failure
- ID: 2

IndexB
Entry1
- Result: Success
- ID: 1

The search would only return Entry2 from IndexA in this scenario because ID:1 exists in both A and B so Entry1 was excluded. I can't figure out how to get these to properly exclude based on results from IndexB. I've been attempting sub-searches and joins but the results aren't coming through.

Any help would be greatly appreciated.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

DalJeanis
Legend
‎08-16-2017 02:20 PM

There are tons of ways, depending on the data

(index="A" "Failure")  OR (index="B" "Success")
| rename COMMENT as "limit the records to the fields that we need."
| fields index ID fieldA1 fieldA2 fieldA3 fieldA4

| rename COMMENT as "now mark every record with all the indexes found for that ID"
| eventstats values(index) as foundboth by ID

| rename COMMENT as "and kill all the records that have a B index"
| where index="A" AND mvcount(foundboth)=1

View solution in original post

Reply
Solved! Jump to solution
Solution

DalJeanis
Legend
‎08-16-2017 02:20 PM

There are tons of ways, depending on the data

(index="A" "Failure")  OR (index="B" "Success")
| rename COMMENT as "limit the records to the fields that we need."
| fields index ID fieldA1 fieldA2 fieldA3 fieldA4

| rename COMMENT as "now mark every record with all the indexes found for that ID"
| eventstats values(index) as foundboth by ID

| rename COMMENT as "and kill all the records that have a B index"
| where index="A" AND mvcount(foundboth)=1
Reply
Solved! Jump to solution

DalJeanis
Legend
‎08-16-2017 02:42 PM

@jl19 - if this solved your issue, then please accept the answer so it will show closed. If not, please feel free to ask for more information here. Thanks!

Reply
Solved! Jump to solution

jl19
Explorer
‎08-16-2017 03:13 PM

I had to tweak it a little more for my use case but this got me through the wall I was hitting. Thank you very much for your help! This was great!

Reply
Solved! Jump to solution

DalJeanis
Legend
‎08-16-2017 03:46 PM

@jl19 - that's sometimes how it works. A lot of questions in splunk are largely answered by pulling out all the complications already introduced, and doing simple respecifications that start at the record level. Glad it worked out.

Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...