topic How to evaluate data match from 2 sources in Splunk Search

How to evaluate data match from 2 sources

tkwaller1 — Thu, 23 Jan 2025 14:24:51 GMT

I have a search that searches 2 different indexes. We expect that there is 1 record from each index for a single id. The search is pretty simple:

index=index1 | rename Number__c as EventId | append [search index=index2 sourcetype="api" ] | stats count by EventId | search count < 2

What i would like to do now is evaluate that there is a single record from each index for each EventId, to ensure that the count of 2 isn't 2 records in a single index. There are times where, in index2, a single EventId has more than one record which makes the count inaccurate because it's not evaluating whether there was a record for it in index1.

Re: How to evaluate data match from 2 sources

richgalloway — Thu, 23 Jan 2025 14:44:18 GMT

Try counting the number of indexes for each EventId.

index=index1 | rename Number__c as EventId | append [search index=index2 sourcetype="api" ] | stats count, dc(index) as indexCount by EventId | search count < 2 OR indexCount=1

Also, the append command is inefficient and not necessary in this case. Try this

index=index1 OR (index=index2 sourcetype="api") | rename Number__c as EventId | stats count, dc(index) as indexCount by EventId | search count < 2 OR indexCount=1

Re: How to evaluate data match from 2 sources

tkwaller_2 — Tue, 04 Feb 2025 19:46:10 GMT

This worked well.
Last question:
If i wanted to ensure the single record that i find only comes from search 1 and not from search 2. how would i do that.

Thanks again

Todd

Re: How to evaluate data match from 2 sources

tkwaller_2 — Tue, 04 Feb 2025 20:06:04 GMT

This worked well.
Last question:
If i wanted to ensure the single record that i find only comes from search 1 and not from search 2. how would i do that.

Thanks again

Todd