Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to correlate fields from two different searches?

SaamerS
New Member
‎05-29-2018 11:01 AM

Thanks in advance.

I have events from two different sources:

The first source (let's call it Source A) has the following fields in its events:
1. Name of job
2. Parent job

Source B:
1. Name of Job (Same as source A, but could be parent or child)
2. runTime

The run-time of the parent jobs can be broken down by the run-times of its child, but the correlation between parent and child can only be found in the first source.

I am stumped by this because the information is from two different sources. Any help will be appreciated!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎05-31-2018 11:25 AM

Assuming you want to chart runtime of one parent job at a time . Try something like this:

source="B" [search source="A" parentJob="ParentJobNameYouWantPieChartFor" | stats count by jobName | table jobName]
| stats sum(runTime) as runTime by jobName

Other assumptions:

  • You can search source A using source="A" and source B using source="B"
  • On source="A", field names are jobNameand parentJob
  • On source="B", field names are jobNameand runTime

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎05-31-2018 11:25 AM

Assuming you want to chart runtime of one parent job at a time . Try something like this:

source="B" [search source="A" parentJob="ParentJobNameYouWantPieChartFor" | stats count by jobName | table jobName]
| stats sum(runTime) as runTime by jobName

Other assumptions:

  • You can search source A using source="A" and source B using source="B"
  • On source="A", field names are jobNameand parentJob
  • On source="B", field names are jobNameand runTime
0 Karma
Reply
Solved! Jump to solution

SaamerS
New Member
‎05-31-2018 06:50 AM

@richgalloway
I would like to create a pie chart of how the children run-times breakdown the parent's run-time

@xpac
One parent, multiple children relationship. Children can't have children jobs.

0 Karma
Reply
Solved! Jump to solution

xpac
SplunkTrust
SplunkTrust
‎05-29-2018 12:05 PM

Is this a single level relation?
Like, do all jobs belong to some parent job, and that's it? Or do some jobs have child jobs, and those have child jobs, and so on?

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎05-29-2018 11:31 AM

What is your question? What is your desired output?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...