Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to search for and chart multiple values for different sourcetypes?

clintla
Contributor
‎10-26-2016 05:15 PM

I'm not sure if this is a multisearch or a join or something else, but I want to chart multiple values for different sourcetypes.

For example:

Sourcetype A
field1 field2 field3 field4

Sourcetype B
field5 field6 field7 field8

Chart values(field1), values(field2), values(field3), values(field6), values(field7)

I want to search for something where the search string will be contained in field 1 & 5 will be the same & then collect all the data from those lines in Sourcetypes A & B

I get Sourcetype A or B.. but not both. However, in the "Interesting Fields" from the search, I get everything so I know the data is there.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎10-26-2016 06:17 PM

Seems like this would be a start:

(sourcetype=A field1=*) OR (sourcetype=B field5=*)
| eval newField=coalesce(field1,field5)
| stats values(field2) as field2 values(field3) as field3 values(field4) as field4
        values(field6) as field6 values(field7) as field7 values(field8) as field8 by newField

But you can't chart multi-valued fields, which is what you will get if you use the values function.
Well, I guess you can use the chart command, but you can't get an actual chart... so I used the stats command.
What exactly do you want to output?

View solution in original post

Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎10-26-2016 06:17 PM

Seems like this would be a start:

(sourcetype=A field1=*) OR (sourcetype=B field5=*)
| eval newField=coalesce(field1,field5)
| stats values(field2) as field2 values(field3) as field3 values(field4) as field4
        values(field6) as field6 values(field7) as field7 values(field8) as field8 by newField

But you can't chart multi-valued fields, which is what you will get if you use the values function.
Well, I guess you can use the chart command, but you can't get an actual chart... so I used the stats command.
What exactly do you want to output?

Reply
Solved! Jump to solution

clintla
Contributor
‎10-27-2016 04:26 PM

The stats command works.. but due to one sourcetype has multi instances & the other has 1, they don't lineup.

I ended up doing panels w/ a drill downs that worked exceedingly well. Lisa, I think you usually come to the rescue on my questions & you did again (the answer was right but it got me going to an even better answer) ... as always.. thanks for the assistance.

Reply
Solved! Jump to solution

clintla
Contributor
‎10-27-2016 11:09 AM

I'm almost wanting a lookup. 2 sources that I'd like to combine into 1 source really.

so field1 & field5 I want to search (those 2 fields have the same list of items). So if I search field1. I want to find those all those fields in both sourcetypes.

0 Karma
Reply
Solved! Jump to solution

lquinn
Contributor
‎10-26-2016 05:46 PM

What is the current search that you are using?

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...