topic Re: Using two sourcetypes - lookup in Splunk Search

Using two sourcetypes - lookup

HeinzWaescher — Tue, 20 May 2014 14:02:23 GMT

Hi,

there are two sourcetypes A & B which I want to use a search. Both them have a field userid.

Let's say sourcetype A tells us userId=1 is from country=US. In sourcetype B the field country does not exist. Is there a possibility to do a lookup in search time, that the country is added for all events of userid=1 in sourcetype B as well?

It would be possible to run a search for sourcetype A and create a lookup.csv.

col1,col2
userid,country

And use this csv in a next step:

sourcetype=A OR sourcetype=B | lookup lookup.csv userid OUTPUT country

But I think there is a better/easier way which I don't know 🙂

BR Heinz

Re: Using two sourcetypes - lookup

somesoni2 — Tue, 20 May 2014 14:10:05 GMT

Try this

sourcetype=A OR sourcetype=B | eventstats first(country) as userCountry by userid | eval country=coalesce(country,userCountry) |...

another option:

sourcetype=A OR sourcetype=B | streamstats first(country) as country by userid | .....

Re: Using two sourcetypes - lookup

HeinzWaescher — Tue, 20 May 2014 14:15:47 GMT

thanks, this works as well. but in my experience eventstats is veeery slow, so I would like to avoid it if possible

Re: Using two sourcetypes - lookup

somesoni2 — Tue, 20 May 2014 14:23:04 GMT

There may be a better solution if you could tell what is the ultimate requirement? Sample output or something? (I am sure, you don't just want to see the data in raw format)

Re: Using two sourcetypes - lookup

HeinzWaescher — Wed, 21 May 2014 08:34:09 GMT

In the end I want to calculate different stats by country. To include data from sourcetype B as well, I need the field country for the userids in this sourcetype.