Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to extract data

1014502
New Member
‎02-05-2020 07:47 PM

I want to know how to take data from multiple data sources by ID.
The following is an example of a data source.
A Datasource(A-id,B-id or C-id,B-Manhour or C-Manhour)
B Datasource(B-id,B-subject)
C Datasource(C-id,B-id,C-subject)
※A datasource is Man-hour information、B Datasource is Parent ticket information、C-datasource is Child ticket information

I want the output below.
id subject man-hour
B-id B-subject Total value of B-Manhour
B-id B-subject Total value of B-Manhour+Total value of C-Manhour
B-id B-subject Total value of C-Manhour

Please tell me how to do it.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎02-06-2020 06:02 PM 
index=your_index source=A OR source=B OR souce=C
| stats sum(Manhour) as Monhour values(subject) as subject by B-id , C-id

There is no sample, maybe not works.
That's life.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎02-06-2020 06:02 PM 
index=your_index source=A OR source=B OR souce=C
| stats sum(Manhour) as Monhour values(subject) as subject by B-id , C-id

There is no sample, maybe not works.
That's life.

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎02-06-2020 05:55 AM

Hi @1014502,
your requisites aren't so clear, correct me if I'm wrong:

  • in A Datasource all the fields are in different columns (A-id,B-id or C-id,B-Manhour or C-Manhour);
  • you want different calculations for each row (in row1 B-Manhour, in row2 B-Manhour+Total value of C-Manhour and in row3 C-Manhour)
  • you want three rows for each B-id,
  • relation between B-id and C-id is in C Datasource.

Is it correct?

Ciao.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

1014502
New Member
‎02-06-2020 05:06 PM

Hi@gcusello
.in A Datasource all the fields are in different columns (A-id,B-id or C-id,B-Manhour or C-Manhour);

Example for A Datasource bellow.
( A-id,B-id,B-Manhour
A-id,C-id,C-Manhour )
A Datasource is the man-hour information of B ticket or C ticket.
・you want different calculations for each row (in row1 B-Manhour, in row2 B-Manhour+Total value of C-Manhour and in row3 C-Manhour)
Yes.
・you want three rows for each B-id,
Yes.
relation between B-id and C-id is in C Datasource.
Yes.

 

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎02-07-2020 11:57 PM

Hi @1014502,
if it's acceptable for you to have results in three columns, you could run something like this:

index=A Or index=B OR index=C
| stats sum(B-Manhour) AS B-Manhour sum(C-Manhour) AS C-Manhour BY B-id
| eval BC=B-Manhour+C-Manhour

I cannot test it, check in this way or adding C-id in BY clause of the stats command:

index=A Or index=B OR index=C
| stats sum(B-Manhour) AS B-Manhour sum(C-Manhour) AS C-Manhour BY B-id C-id
| eval BC=B-Manhour+C-Manhour

Ciao.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...