Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Evalute results based on like-fields from two different indexes?

jl19
Explorer
‎08-16-2017 12:04 PM

I have entries in IndexA that I want to find failures for. However, if IndexB has an entry with the same field and is a 'success' entry then I want to exclude it from the results entirely.

Example:
IndexA
Entry1
- Result: Failure
- ID: 1
Entry2
- Result: Failure
- ID: 2

IndexB
Entry1
- Result: Success
- ID: 1

The search would only return Entry2 from IndexA in this scenario because ID:1 exists in both A and B so Entry1 was excluded. I can't figure out how to get these to properly exclude based on results from IndexB. I've been attempting sub-searches and joins but the results aren't coming through.

Any help would be greatly appreciated.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

DalJeanis
Legend
‎08-16-2017 02:20 PM

There are tons of ways, depending on the data

(index="A" "Failure")  OR (index="B" "Success")
| rename COMMENT as "limit the records to the fields that we need."
| fields index ID fieldA1 fieldA2 fieldA3 fieldA4

| rename COMMENT as "now mark every record with all the indexes found for that ID"
| eventstats values(index) as foundboth by ID

| rename COMMENT as "and kill all the records that have a B index"
| where index="A" AND mvcount(foundboth)=1

View solution in original post

Reply
Solved! Jump to solution
Solution

DalJeanis
Legend
‎08-16-2017 02:20 PM

There are tons of ways, depending on the data

(index="A" "Failure")  OR (index="B" "Success")
| rename COMMENT as "limit the records to the fields that we need."
| fields index ID fieldA1 fieldA2 fieldA3 fieldA4

| rename COMMENT as "now mark every record with all the indexes found for that ID"
| eventstats values(index) as foundboth by ID

| rename COMMENT as "and kill all the records that have a B index"
| where index="A" AND mvcount(foundboth)=1
Reply
Solved! Jump to solution

DalJeanis
Legend
‎08-16-2017 02:42 PM

@jl19 - if this solved your issue, then please accept the answer so it will show closed. If not, please feel free to ask for more information here. Thanks!

Reply
Solved! Jump to solution

jl19
Explorer
‎08-16-2017 03:13 PM

I had to tweak it a little more for my use case but this got me through the wall I was hitting. Thank you very much for your help! This was great!

Reply
Solved! Jump to solution

DalJeanis
Legend
‎08-16-2017 03:46 PM

@jl19 - that's sometimes how it works. A lot of questions in splunk are largely answered by pulling out all the complications already introduced, and doing simple respecifications that start at the record level. Glad it worked out.

Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...