Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

search on multiple indexes

avitallange
Explorer
‎07-15-2013 03:42 AM

Hi,

I have two indexes: index1, index2.

index1 has a field 'Message' which index2 doesn't have.
There are duplicated messages that I'd like to dedup by |dedup Message.

I'd like to find the records with text "TextToFind" across the 2 indexes but not to get multiple records for the duplicated 'Message' field.

  • index=index1 TextToFind returns 94 results (appear in field Message)
  • index=index2 TextToFind returns 8 results (appear in field Content)
  • (index=index1) OR (index=index2) TextToFind returns 102 results

(index=index1) OR (index=index2) TextToFind | dedup Message returns 2 results from index1 only although the TextToFind appears on index2 as well (in field Content).

Could you please fix my query?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

samhughe
Path Finder
‎07-15-2013 06:31 AM

Is the text you are looking for in index1's message field or is it in a different field?
if so you could use the eval and coalesce functions (http://docs.splunk.com/Documentation/Splunk/5.0.3/SearchReference/CommonEvalFunctions) to put them into a new, single field and then dedup. If the text you are looking for isn't in index1's Message field not sure of your best option other than some of the join/subsearch type functions

View solution in original post

Reply
Solved! Jump to solution
Solution

samhughe
Path Finder
‎07-15-2013 06:31 AM

Is the text you are looking for in index1's message field or is it in a different field?
if so you could use the eval and coalesce functions (http://docs.splunk.com/Documentation/Splunk/5.0.3/SearchReference/CommonEvalFunctions) to put them into a new, single field and then dedup. If the text you are looking for isn't in index1's Message field not sure of your best option other than some of the join/subsearch type functions

Reply
Solved! Jump to solution

avitallange
Explorer
‎07-15-2013 11:55 AM

It worked with the keepempty=true, thank you!

0 Karma
Reply
Solved! Jump to solution

samhughe
Path Finder
‎07-15-2013 08:08 AM

Based on your additional comments, try:
(index=index1) OR (index=index2) TextToFind | eval newField=coalesce(Message,Content) | dedup newField

Assuming there are no duplicates of 'Content' you want to keep.

Or probably the better option is to use the keepempty=true parameter for dedup: http://docs.splunk.com/Documentation/Splunk/5.0.3/SearchReference/Dedup

Reply
Solved! Jump to solution

avitallange
Explorer
‎07-15-2013 08:06 AM

Yes, the test I am looking for is in index1's Message field.
It also appears on index2's Content field.
I updated my question above.
Your help is welcome!

0 Karma
Reply
Solved! Jump to solution

Ayn
Legend
‎07-15-2013 05:28 AM

If your first search works but your second search returns 0 results, that's because there is no field called Message in your search.

0 Karma
Reply
Solved! Jump to solution

Ayn
Legend
‎07-15-2013 08:24 AM

See hamhughe's answer which I think is spot on.

0 Karma
Reply
Solved! Jump to solution

avitallange
Explorer
‎07-15-2013 08:04 AM

I have a field called Message, I see in the left pane with many other fields. You are right, I got results but I still can't query what I want. I updated my question above.
Your help is welcome!

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...