- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How can I count same field from different sourcety...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How can I count same field from different sourcetypes?
I have two sourcetypes. In both, there is a field present that has the same value in both but just another name, let's say Field1 en Field1a
Normally each value is present in both. This can be more than once but then also in both. Sometimes the value is only present in 1 of the sourcetypes. I want to determine when this happens. I thought it would be easy by just counting the number of each value in both sources and when the two counts are different I would know. But somehow I am not able to do a count of them both, someone ideas?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Mike6960, you would need to create a Field Alias Knowledge Object for one of the sourcetype to make both the fields names as same lets say Field1.
If you are creating a Field Alias For sourcetype B will have effect similar to following command eval Field1=Field1a
If you want to do something similar in your Splunk Query you can try the following:
index=blah sourcetype=sourcetypeA OR sourcetype=sourcetypeB
| rename Field1a as Field1
| stats count by sourcetype Field1
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @niketnilay,
I've created a fieldalias and I use chart count by sourcetype 'and' Field1. I almost have the result I want. The result is now a table which shows which shows the Field1 and how many times its exists in each sourcetype. Now I want to see only the results where the counts are not equal....?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Instead of stats use chart,
<YourBaseSearch>
| chart count by Field1 sourcetype
| search sourcetypeA!=sourcetypeB
Or
<YourBaseSearch>
| chart count over Field1 by sourcetype
| search sourcetypeA!=sourcetypeB
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@niketn , I produced this :
Fieldalias for B_C and B_X is B_C_X
| eval B_C_X =ltrim(tostring(B_C_X ),"0")
| chart count(B_C) as T count(B_X) as T2 by B_C_X
| where T!= T2
| fillnull
if I use 'search' instead of 'where' I still get mutiple rows with all the results. Now I only need to figure out how to show the sourcetype in the result
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Does something like this help?
index=blah sourcetype=sourcetypeA OR sourcetype=sourcetypeB | stats count(my_field) as count by sourcetype
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks, but the 'my field' has a different name in both sourcetypes so I can't count by just one field
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
