topic Re: Form a single statistics from two different sources on common parameters in Splunk Search

Form a single statistics from two different sources on common parameters

harshal_chakran — Fri, 11 Oct 2013 07:02:23 GMT

Hi,
I am using two different sources, for e.g.source1 and source2, which contains different numeric error on same timestamps.
for e.g.

Source1: 03:43:15.780 errorvalue=202

Source2: 03:43:15.780 errorvalue=222

I want to get the statistics as a combination of both the sources where the Timestamp is a common column, second column containing the error string from source1, third column containing error string from source2 and third giving match or no match clause.

such as

Time Stamp source1 source2 match

03:43:15.780 202 222 yes

Please help

Re: Form a single statistics from two different sources on common parameters

Ayn — Fri, 11 Oct 2013 10:44:11 GMT

What do you mean by "match or no match"? What rule is there for this?

Re: Form a single statistics from two different sources on common parameters

wpreston — Fri, 11 Oct 2013 12:17:40 GMT

I'll make a couple of assumptions:

The errorvalue field has the same name in both sources
The match or no match clause means you want to know if the errorvalue from source1 matches the errorvalue from source2

If these are both correct, try a search like the following:

source=source1 source=source2 errorvalue=* | eval source1=if(source=source1,errorvalue,null()) | eval source2=if(source=source2,errorvalue,null()) | stats count by _time source1 source2 | eval match=if(source1=source2,"yes","no") | fields - count

I'm sure there is a more elegant way of writing this search, but this should do what you want.