topic Re: How do you combine two different searches with two different sources? in Splunk Dev

How do you combine two different searches with two different sources?

edwardryan — Tue, 20 Nov 2018 13:39:01 GMT

Hello,

I am attempting to use Splunk to search two log files that hold activity for two platforms of an application "IOS" & "Android".
The log file for each platform unfortunately uses a different identifier for login behavior.

I would like to combine both searches into one.

Currently each of my searches look like the following (some filters are the same)

> index=I1 source=S1 sourcetype=ST1 host=H1 "searchCriteria1"earliest=-1hr latest=now | timechart span=5m count by host
> index=I2 source=S2 sourcetype=ST1 host=H1 "searchCriteria2" earliest=-1hr latest=now | timechart span=5m count by host

I would like to have the result displayed as follows; total, android and ios.

I am using the JAVA API to splunk, so as long as I can differentiate Android from IOS on the response, that is ok.

Time | Total Logins | Android Logins | IOS Logins
01:00 | 10 | 8 | 2
02:00 | 15 | 10 | 5

I have looked into "multiSearch" and "subsearches" but I am new to using Splunk and do not know exactly what I am trying to do.

Any help is greatly appreciated!

Thank you,
Anon

EDIT: Considering I can differentiate between each platform via "source", the following query does produce a correct result, although I'm unsure if its the correct way. Is there a better way to obtain the following:

(index=jboss source=/var/log/jboss/server.log sourcetype=jboss:server:log host="lblux31*" "NewState showDashboard PreviousState checkIfActiveCustomer") 
OR
(index=jboss-mobile source=/var/log/jboss-mobile/server.log sourcetype=jboss:server:log host="lblux31*" "[EVENT]login") earliest=-1hr latest=now
| bucket _time span=5m 
| stats count by _time, source, host 
| sort - Time

Re: How do you combine two different searches with two different sources?

skoelpin — Tue, 20 Nov 2018 15:36:17 GMT

Try this

(index=I1 source=S1 sourcetype=ST1 host=H1) OR (index=I2 source=S2 sourcetype=ST1 host=H1)
  ("searchCriteria1") OR ( "searchCriteria2")  earliest=-1hr latest=now
| timechart span=5m count by host

Re: How do you combine two different searches with two different sources?

somesoni2 — Tue, 20 Nov 2018 16:24:33 GMT

Try like this (check eval command to ensure the mapping of source is correct)

index=jboss source=/var/log/jboss/server.log sourcetype=jboss:server:log host="lblux31*" "NewState showDashboard PreviousState checkIfActiveCustomer") 
 OR
 (index=jboss-mobile source=/var/log/jboss-mobile/server.log sourcetype=jboss:server:log host="lblux31*" "[EVENT]login") earliest=-1hr latest=now
| eval type=if(source="/var/log/jboss/server.log","Android","IOS")
 | timechart span=5m count by type
| eval "Total Logins"=Android + IOS

Re: How do you combine two different searches with two different sources?

richgalloway — Wed, 21 Nov 2018 01:20:03 GMT

Looks like you've solved your problem. The only change I'd make is | bucket span=1h _time.

Put your edit into an answer and accept it.

Re: How do you combine two different searches with two different sources?

skoelpin — Wed, 21 Nov 2018 14:41:51 GMT

Sometimes I ask myself why do I even contribute when most users don't even bother to accept the answer after using the solution provided

Re: How do you combine two different searches with two different sources?

edwardryan — Wed, 21 Nov 2018 15:03:54 GMT

@skoelpin No one has posted a solution that I have used yet

Re: How do you combine two different searches with two different sources?

edwardryan — Wed, 21 Nov 2018 15:05:53 GMT

Unfortunately I can't use timechart because I need to groupBy multiple fields. "stats count by" looks to be what I require.

Re: How do you combine two different searches with two different sources?

edwardryan — Wed, 21 Nov 2018 15:07:53 GMT

@richgalloway I need the data structured at small intervals, that is why I was using span=5m over an hour period. Mainly because I would like to chart the output

Re: How do you combine two different searches with two different sources?

skoelpin — Wed, 21 Nov 2018 15:08:47 GMT

You're question was how to combine 2 different searches with different sources. You have 2 solutions which you used and said it works.. You have not responded back or clarified what doesn't work.. What didn't get answered??

Re: How do you combine two different searches with two different sources?

edwardryan — Wed, 21 Nov 2018 15:09:36 GMT

Thanks, the eval command looks useful - I was doing this mapping afterwards using Java, but your solution looks a lot better.

Re: How do you combine two different searches with two different sources?

skoelpin — Wed, 21 Nov 2018 15:09:51 GMT

Then use stats... What's the issue?

(index=I1 source=S1 sourcetype=ST1 host=H1) OR (index=I2 source=S2 sourcetype=ST1 host=H1)
   ("searchCriteria1") OR ( "searchCriteria2")  earliest=-1hr latest=now
| bin _time span=5m
| stats  count by host, <OTHER FIELD>

Re: How do you combine two different searches with two different sources?

edwardryan — Wed, 21 Nov 2018 15:12:14 GMT

There is no issue, I am using stats. I left a comment to say why I disagreed with your solution, would you rather I didnt comment at all?

I am using stats, as seen by initial edit in the question - BEFORE you commented this answer

Re: How do you combine two different searches with two different sources?

edwardryan — Wed, 21 Nov 2018 15:14:04 GMT

@skoelpin can you relax? The solution I'm using at the moment is the one I created. The first solution you posted does not work. The second solution let me know how to use the eval function which I am using. Why are you so agitated? I did not respond because like you I'm in work and didn't have time to respond within 24 hours... fucking hell

Re: How do you combine two different searches with two different sources?

skoelpin — Wed, 21 Nov 2018 15:16:17 GMT

So what part of your original question did we not answer?

Re: How do you combine two different searches with two different sources?

woodcock — Wed, 21 Nov 2018 16:07:45 GMT

The solution in your update is A-OK.

Re: How do you combine two different searches with two different sources?

edwardryan — Thu, 22 Nov 2018 10:46:20 GMT

I found the following worked for me.
Keypoints being the use of "OR" to separate the queries and "bucket" to divide the data

 (index=jboss source=/var/log/jboss/server.log sourcetype=jboss:server:log host="lblux31*" "NewState showDashboard PreviousState checkIfActiveCustomer") 
 OR
 (index=jboss-mobile source=/var/log/jboss-mobile/server.log sourcetype=jboss:server:log host="lblux31*" "[EVENT]login") earliest=-1hr latest=now
 | bucket _time span=5m 
 | stats count by _time, source, host 
 | sort - Time

Re: How do you combine two different searches with two different sources?

skoelpin — Mon, 26 Nov 2018 14:39:15 GMT

Yes this was shown to you as a solution.. Not sure why you're taking credit for solutions others provided, but might as well close it out....