https://community.splunk.com/t5/Knowledge-Management/Correlating-different-types-of-data-from-different-sources/m-p/472170#M8172 <P>Give this a try:<BR /> your_search_with_ipaddress_field | join left=L right=R where L.ipaddress=R.host [search your_search_with_host] | stats count by location loglevel</P> Wed, 30 Sep 2020 03:28:49 GMT mydog8it 2020-09-30T03:28:49Z https://community.splunk.com/t5/Knowledge-Management/Correlating-different-types-of-data-from-different-sources/m-p/472169#M8171 <P>Hi, is there a "standard" way of correlating data from different sources? For example, I have a metadata source and an event source. The metadata source has data such as "ServiceName" or "Location", and an IP address. The event source are logs which have a host, and I would like to get some aggregation data based on the metadata source...</P> <P>meta:<BR /> <CODE>ipaddress=1.2.3.4,location=xyz,service=foo</CODE></P> <P>event:<BR /> <CODE>host=1.2.3.4,loglevel=WARN,message="something"</CODE></P> <P>If i wanted to get chart the count of different log levels by location, what would the best approach be? have tried sub-searches but that works for filtering, would i need some sort of dynamic lookup?</P> Mon, 23 Dec 2019 18:37:48 GMT https://community.splunk.com/t5/Knowledge-Management/Correlating-different-types-of-data-from-different-sources/m-p/472169#M8171 brettcave 2019-12-23T18:37:48Z https://community.splunk.com/t5/Knowledge-Management/Correlating-different-types-of-data-from-different-sources/m-p/472170#M8172 <P>Give this a try:<BR /> your_search_with_ipaddress_field | join left=L right=R where L.ipaddress=R.host [search your_search_with_host] | stats count by location loglevel</P> Wed, 30 Sep 2020 03:28:49 GMT https://community.splunk.com/t5/Knowledge-Management/Correlating-different-types-of-data-from-different-sources/m-p/472170#M8172 mydog8it 2020-09-30T03:28:49Z https://community.splunk.com/t5/Knowledge-Management/Correlating-different-types-of-data-from-different-sources/m-p/472171#M8173 <P>Is there a reason a standard <CODE>stats</CODE> search wouldn't work for you? Something like</P> <PRE><CODE>(index=index1 sourcetype=...) OR (index=index2, sourcetype=...) |eval groupingIP = coalesce(ipaddress,host) | stats values(location) as location, values(loglevel) as loglevel by groupingIP, someOtherUniqueField | stats count by location, loglevel </CODE></PRE> <P>This will work for you if you can come up with "someOtherUniqueField" to tie a meta log to an event log, otherwise <CODE>values</CODE> will take in duplicate issues and not know how to handle them, and <CODE>list</CODE> also isn't a great option because you're leaning on weird multivalue fields as opposed to creating one true "event issue" to be counted. This could be a _time field, some other unique ID, etc. </P> <P>Essentially, you pull in all of your logs, create a field to "join" on (although <CODE>join</CODE> isn't great given how splunk is architected), in this case I call it groupingIP and I use a <CODE>coalesce</CODE> statement, it could also have been an <CODE>if</CODE> or <CODE>case</CODE> statement, group them together, take the values (unique list of values) of location and loglevel by IP, uniqueGroupField, and then count by location and loglevel.</P> <P>Hope this helps!</P> Mon, 23 Dec 2019 20:06:06 GMT https://community.splunk.com/t5/Knowledge-Management/Correlating-different-types-of-data-from-different-sources/m-p/472171#M8173 aberkow 2019-12-23T20:06:06Z