How do you combine two different searches with two...

edwardryan · ‎11-20-2018

Hello,

I am attempting to use Splunk to search two log files that hold activity for two platforms of an application "IOS" & "Android".
The log file for each platform unfortunately uses a different identifier for login behavior.

I would like to combine both searches into one.

Currently each of my searches look like the following (some filters are the same)

> index=I1 source=S1 sourcetype=ST1 host=H1 "searchCriteria1"earliest=-1hr latest=now | timechart span=5m count by host
> index=I2 source=S2 sourcetype=ST1 host=H1 "searchCriteria2" earliest=-1hr latest=now | timechart span=5m count by host

I would like to have the result displayed as follows; total, android and ios.

I am using the JAVA API to splunk, so as long as I can differentiate Android from IOS on the response, that is ok.

Time | Total Logins | Android Logins | IOS Logins
01:00 | 10 | 8 | 2
02:00 | 15 | 10 | 5

I have looked into "multiSearch" and "subsearches" but I am new to using Splunk and do not know exactly what I am trying to do.

Any help is greatly appreciated!

Thank you,
Anon

EDIT: Considering I can differentiate between each platform via "source", the following query does produce a correct result, although I'm unsure if its the correct way. Is there a better way to obtain the following:

(index=jboss source=/var/log/jboss/server.log sourcetype=jboss:server:log host="lblux31*" "NewState showDashboard PreviousState checkIfActiveCustomer") 
OR
(index=jboss-mobile source=/var/log/jboss-mobile/server.log sourcetype=jboss:server:log host="lblux31*" "[EVENT]login") earliest=-1hr latest=now
| bucket _time span=5m 
| stats count by _time, source, host 
| sort - Time

edwardryan · ‎11-22-2018

I found the following worked for me.
Keypoints being the use of "OR" to separate the queries and "bucket" to divide the data

 (index=jboss source=/var/log/jboss/server.log sourcetype=jboss:server:log host="lblux31*" "NewState showDashboard PreviousState checkIfActiveCustomer") 
 OR
 (index=jboss-mobile source=/var/log/jboss-mobile/server.log sourcetype=jboss:server:log host="lblux31*" "[EVENT]login") earliest=-1hr latest=now
 | bucket _time span=5m 
 | stats count by _time, source, host 
 | sort - Time

skoelpin · ‎11-26-2018

Yes this was shown to you as a solution.. Not sure why you're taking credit for solutions others provided, but might as well close it out....

woodcock · ‎11-21-2018

The solution in your update is A-OK.

richgalloway · ‎11-20-2018

Looks like you've solved your problem. The only change I'd make is | bucket span=1h _time.

Put your edit into an answer and accept it.

---
If this reply helps you, Karma would be appreciated.

skoelpin · ‎11-21-2018

Sometimes I ask myself why do I even contribute when most users don't even bother to accept the answer after using the solution provided

edwardryan · ‎11-21-2018

@skoelpin No one has posted a solution that I have used yet

skoelpin · ‎11-21-2018

You're question was how to combine 2 different searches with different sources. You have 2 solutions which you used and said it works.. You have not responded back or clarified what doesn't work.. What didn't get answered??

edwardryan · ‎11-21-2018

@skoelpin can you relax? The solution I'm using at the moment is the one I created. The first solution you posted does not work. The second solution let me know how to use the eval function which I am using. Why are you so agitated? I did not respond because like you I'm in work and didn't have time to respond within 24 hours... fucking hell

edwardryan · ‎11-21-2018

@richgalloway I need the data structured at small intervals, that is why I was using span=5m over an hour period. Mainly because I would like to chart the output

somesoni2 · ‎11-20-2018

Try like this (check eval command to ensure the mapping of source is correct)

index=jboss source=/var/log/jboss/server.log sourcetype=jboss:server:log host="lblux31*" "NewState showDashboard PreviousState checkIfActiveCustomer") 
 OR
 (index=jboss-mobile source=/var/log/jboss-mobile/server.log sourcetype=jboss:server:log host="lblux31*" "[EVENT]login") earliest=-1hr latest=now
| eval type=if(source="/var/log/jboss/server.log","Android","IOS")
 | timechart span=5m count by type
| eval "Total Logins"=Android + IOS

edwardryan · ‎11-21-2018

Thanks, the eval command looks useful - I was doing this mapping afterwards using Java, but your solution looks a lot better.

skoelpin · ‎11-20-2018

Try this

(index=I1 source=S1 sourcetype=ST1 host=H1) OR (index=I2 source=S2 sourcetype=ST1 host=H1)
  ("searchCriteria1") OR ( "searchCriteria2")  earliest=-1hr latest=now
| timechart span=5m count by host

edwardryan · ‎11-21-2018

Unfortunately I can't use timechart because I need to groupBy multiple fields. "stats count by" looks to be what I require.

skoelpin · ‎11-21-2018

Then use stats... What's the issue?

(index=I1 source=S1 sourcetype=ST1 host=H1) OR (index=I2 source=S2 sourcetype=ST1 host=H1)
   ("searchCriteria1") OR ( "searchCriteria2")  earliest=-1hr latest=now
| bin _time span=5m
| stats  count by host, <OTHER FIELD>

edwardryan · ‎11-21-2018

There is no issue, I am using stats. I left a comment to say why I disagreed with your solution, would you rather I didnt comment at all?

I am using stats, as seen by initial edit in the question - BEFORE you commented this answer

skoelpin · ‎11-21-2018

So what part of your original question did we not answer?

How do you combine two different searches with two different sources?

Introducing the Splunk Community Dashboard Challenge!

Wondering How to Build Resiliency in the Cloud?

Updated Data Management and AWS GDI Inventory in Splunk Observability