- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to combine the results of my different sea...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to combine the results of my different searches?
How do I merge search results for this problem:
Search 1 contains Field A, Search 2 contains Field B. Want to merge searches by host, time, and Field A = Field B
What I have so far is:
index =index value sourcetype = sourcetype value host=host value "Search 1" OR "Search 2" |transaction host startswith="Search1" endswith="Search2" maxspan=3s
Gets me sorta close, but I still have a mismatch with Field A and Field B.
I need correlate the results of the searches by host, time, Field A and Field B matching.
Any ideas?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this:
index=myIndex sourcetype=aSourcetype host=xyzHost "Search1" OR "Search2"
| newField = coalesce(FieldA,FieldB)
| transaction host newField startswith="Search1" endswith="Search2" maxspan=3s
You might not need the startswith="Search1" endswith="Search2"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not what I was looking for.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry, your syntax is very confusing to me. Do you mean:
index=myIndex sourcetype=aSourcetype host=xyzHost "Search1" OR "Search2"
| transaction host startswith="Search1" endswith="Search2" maxspan=3s
Also, are there many results for "Search1" and "Search2" for each host?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes that is the correct syntax. Although I don't know if I'm on the right trail. There won't be too many results for each search.
Basically I have logs from a device. I'm trying to merge searches from two different sections of the logs. Search 1 shows a trigger for a channel. Search 2 shows the result of that trigger. There is a field in Search 1 (FieldA) that has the channel ID. Search 2 has a field (FieldB) that has the channel ID. Since host is the same for both searches, using the transaction command combines the logs by host, but Field A and Field B are all mixed up.
I have the 2 searches:
index=myIndex sourcetype=asourcetype host=xyzHost "Search 1"
Result contains Field A which is equal to A-Z
index=myIndex sourcetype=asourcetype host=xyzHost "Search 2"
Result contains Field B which is equal to A-Z
I want to merge to one transaction. I have no problem with host since it is the same field, but how do I handle Field A and Field B?
I want the combined search to show me logs where the hosts are the same and Field A and Field B match.
Does that make any sense???
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
