topic How to separate sets of information with same field values without using JOIN? in Splunk Search

How to separate sets of information with same field values without using JOIN?

karthi2809 — Tue, 23 Apr 2024 11:56:47 GMT

Hi All,

I have field called filename .SO i want to populate the result from the filename field and i created two joins to separate. Is there any other way without using Join

Success File and Failure File

| join CorrelationId type=left [ | search index=mulesoft applicationName IN (TEST) AND message IN ("*File put Succesfully*" ,"*successful Call*" , "*file processed successfully*" , "*Archive file processed successfully*" , "*processed successfully for file name*") | rename content.Filename as SuccessFileName correlationId as CorrelationId | table CorrelationId SuccessFileName | stats values(*) as * by CorrelationId] | table CorrelationId InterfaceName ApplicationName FileList SuccessFileName Timestamp | join CorrelationId type=left [ | search index=mulesoft applicationName IN (p-oracle-fin-processor , p-oracle-fin-processor-2 , p-wd-finance-api) AND priority IN (ERROR,WARN) | rename content.Filename as FailureFileName correlationId as CorrelationId timestamp as ErrorTimestamp content.ErrorType as ErrorType content.ErrorMsg as ErrorMsg | table FailureFileName CorrelationId ErrorType ErrorMsg ErrorTimestamp

Re: How to separate sets of information with same field values without using JOIN?

gcusello — Tue, 23 Apr 2024 12:01:47 GMT

Hi @karthi2809,

to help you I need also the main search.

Anyway, you should:

create a main search putting in OR the three searches,
correlate them using the stats command By the common key and adding values(field_name) As field_name for each field that you want to display.

Ciao.

Giuseppe

Re: How to separate sets of information with same field values without using JOIN?

karthi2809 — Tue, 23 Apr 2024 12:22:55 GMT

Hi @gcusello
Yes for that i used stats values of filed name .But i cant able to seperate the error and succes file

This is my new query :

index=mulesoft environment=* (applicationName IN ("Test")) | stats values(content.FileList{}) as FileList values(content.FileName) as Filename values(content.Filename) as filename1 min(timestamp) AS Logon_Time, max(timestamp) AS Logoff_Time BY correlationId applicationName | eval Status=case(priority="ERROR","ERROR", priority="WARN","WARN", priority!="ERROR","SUCCESS") | eval SuccessFileName=mvdedup(mvfilter(match(message, "%succesfully*") OR match(message, "Summary of all Batch*") ) )|eval SuccessFileName= coalesce(Filename,filename1) | eval FailureFileName=mvdedup(mvfilter(match(priority, "WARN") OR match(priority, "ERROR") ) )|eval FailureFileName= coalesce(Filename,filename1)|table SuccessFileName FailureFileName

Re: How to separate sets of information with same field values without using JOIN?

gcusello — Tue, 23 Apr 2024 13:02:30 GMT

Hi @karthi2809,

after a stats command you have only the fields present in the stats command, so in your case you don't have priority and message fields that you would use in the evals after the stats.

Locate the eval before the stats and add the related fields to the stats.

Ciao.

Giuseppe