Solved: How to modify my stats search to join multiple fie...

davesullivan41 · ‎10-04-2016

I have data coming in from three sources, with three different sets of fields:

Source 1: Filename
Source 2: Filename, Unique_Identifier
Source 3: Unique_Identifier

These sources all work with the same data, and the data flows from Source 1 to Source 2 to Source 3.

I would like to generate a report on data flowing through these three sources, and am trying to run stats to do so, e.g.

search query | stats range(_time)  by Unique_Identifier, Filename

But this is only returning data from source 2 where both the Unique_Identifier and Filename fields both exist. Is there a good way to include records from Source 1 and Source 3 as well?

sundareshr · ‎10-04-2016

You could edit your current search to include Filename & Unique_Identifier to all 3 sources using eventstats like this

search query | eventstats values(Filename) as Filename by  Unique_Identifier | eventstats values(Unique_Identifier) as Unique_Identifier by Filename | stats range(_time)  by Unique_Identifier, Filename

View solution in original post

sundareshr · ‎10-04-2016

You could edit your current search to include Filename & Unique_Identifier to all 3 sources using eventstats like this

search query | eventstats values(Filename) as Filename by  Unique_Identifier | eventstats values(Unique_Identifier) as Unique_Identifier by Filename | stats range(_time)  by Unique_Identifier, Filename

davesullivan41 · ‎10-05-2016

That seems to have worked, thanks!

How to modify my stats search to join multiple fields from three sources?

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio