Solved: How to join multiple sources with common fields an...

Valisha2005 · ‎02-19-2018

Hello, I'm new to splunk. I would like to know how to join several sources and have the results stats displayed from both sources. In the example below I want to see the top 30 orders by url link. The orders is in one source(x) and the url link is another(y) both sources share a common url id.

index = main (sourcetype= skeletor_rails OR sourcetype = deal_catalog_rails) commonField= deal_uuid
| eventstats dc(order_id) as "totalCount" | stats count, sum(totalCount) as total_orders by permalink

MuS · ‎02-19-2018

Hi Valisha2005,

based on the generic example you provided, you can use something like this:

source=x OR source=y
| stats count values(*) AS * by url_id
| sort - count 
| head limit=30

Read this answer https://answers.splunk.com/answers/129424/how-to-compare-fields-over-multiple-sourcetypes-without-jo... to learn more about this topic.

Hope this helps ...

cheers, MuS

View solution in original post

MuS · ‎02-19-2018

Hi Valisha2005,

based on the generic example you provided, you can use something like this:

source=x OR source=y
| stats count values(*) AS * by url_id
| sort - count 
| head limit=30

Read this answer https://answers.splunk.com/answers/129424/how-to-compare-fields-over-multiple-sourcetypes-without-jo... to learn more about this topic.

Hope this helps ...

cheers, MuS

How to join multiple sources with common fields and display stats using fields from both tables

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life