Splunk Search

How to consider values of a field from the events of type1 when does not exist in type2?

bollam
Path Finder

Hello,

I have got two type of events, typeA and typeB, In both the fields I'm interested in only a single field "Success".
Either if the field Success does not exist or it's value is "" in typeA then it should consider the value of Success from the typeB.
How do I do this?

Tags (1)
0 Karma

tom_frotscher
Builder

Hi,

the Answer depends on how exactly your events look like. But in general you can do something with stats to get both fields in one event:

your search | | stats list(Success) as l_success by id | eval Success=mvindex(l_success,0)

I think to finally answer this question, we need more information about your events.

Greetings

Tom

bollam
Path Finder

@tom_frotscher, Please find the events and a bit more description on the requirement.

I have got events with two different types, Type=First and type=Second

I would like to get the consolidated(with unique tags) from both the types based on the following conditions.

If both types have a values of tag then on priority it should consider value of tag from the type=First and ignore the tag value from type=Second even if it has value or not.
ii) If tag has no value i.e., "" in type=First and tag of type=Second has tha value then it consider the value from type=Second for the same id of type=First.
iii) if both the types has no value in tag. we can ignore this.

Note: the values of id_first and id_second has same values but the naming convention is different.

time=1544071583425 type="First" version="2.0.5" status="OK" id_first="210468" user="abc" tag="some"
time=1544071583425 type="First" version="2.0.5" status="OK" id_first="210469" user="xyz" tag=""
time=1544071583424 type="First" version="2.0.5" status="OK" id_first="210470" user="wow" tag=""
time=1544071583424 type="First" version="2.0.5" status="OK" id_first="210483" user="rez"
time=1544071583424 type="First" version="2.0.5" status="OK" id_first="210487" user="yov" tag="wrong"
time=1544071583424 type="First" version="2.0.5" status="OK" id_first="210491" user="boh" tag=""

time=1544071583425 type="Second" version="2.0.5" status="OK" id_second="210468" user="abc" tag="some"
time=1544071583425 type="Second" version="2.0.5" status="OK" id_second="210469" user="xyz" tag="where"
time=1544071583424 type="Second" version="2.0.5" status="OK" id_second="210470" user="wow" tag="fishy
time=1544071583424 type="Second" version="2.0.5" status="OK" id_second="210483" user="rez"
time=1544071583424 type="Second" version="2.0.5" status="OK" id_second="210487" user="yov" tag="wrong"
time=1544071583424 type="Second" version="2.0.5" status="OK" id_second="210491" user="boh" tag="great"

output:

tag id
some 210469
where 210469
fishy 210470
wrong 210483
great 210487

0 Karma

bollam
Path Finder

Update:

both types will have a common id. If typeA does not contain the "Success" with id "123", It should consider the value of "Success" from typeB which as same id "123"

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...