I have two sourcetypes. In both, there is a field present that has the same value in both but just another name, let's say Field1 en Field1a
Normally each value is present in both. This can be more than once but then also in both. Sometimes the value is only present in 1 of the sourcetypes. I want to determine when this happens. I thought it would be easy by just counting the number of each value in both sources and when the two counts are different I would know. But somehow I am not able to do a count of them both, someone ideas?
@Mike6960, you would need to create a Field Alias Knowledge Object for one of the sourcetype to make both the fields names as same lets say Field1.
If you are creating a Field Alias For sourcetype B
will have effect similar to following command eval Field1=Field1a
If you want to do something similar in your Splunk Query you can try the following:
index=blah sourcetype=sourcetypeA OR sourcetype=sourcetypeB
| rename Field1a as Field1
| stats count by sourcetype Field1
Hi @niketnilay,
I've created a fieldalias and I use chart count by sourcetype 'and' Field1. I almost have the result I want. The result is now a table which shows which shows the Field1 and how many times its exists in each sourcetype. Now I want to see only the results where the counts are not equal....?
Instead of stats use chart,
<YourBaseSearch>
| chart count by Field1 sourcetype
| search sourcetypeA!=sourcetypeB
Or
<YourBaseSearch>
| chart count over Field1 by sourcetype
| search sourcetypeA!=sourcetypeB
@niketn , I produced this :
Fieldalias for B_C and B_X is B_C_X
| eval B_C_X =ltrim(tostring(B_C_X ),"0")
| chart count(B_C) as T count(B_X) as T2 by B_C_X
| where T!= T2
| fillnull
if I use 'search' instead of 'where' I still get mutiple rows with all the results. Now I only need to figure out how to show the sourcetype in the result
Does something like this help?
index=blah sourcetype=sourcetypeA OR sourcetype=sourcetypeB | stats count(my_field) as count by sourcetype
Thanks, but the 'my field' has a different name in both sourcetypes so I can't count by just one field