topic Re: How to search for and chart multiple values for different sourcetypes? in Splunk Search

How to search for and chart multiple values for different sourcetypes?

clintla — Thu, 27 Oct 2016 00:15:38 GMT

I'm not sure if this is a multisearch or a join or something else, but I want to chart multiple values for different sourcetypes.

For example:

Sourcetype A
field1 field2 field3 field4

Sourcetype B
field5 field6 field7 field8

Chart values(field1), values(field2), values(field3), values(field6), values(field7)

I want to search for something where the search string will be contained in field 1 & 5 will be the same & then collect all the data from those lines in Sourcetypes A & B

I get Sourcetype A or B.. but not both. However, in the "Interesting Fields" from the search, I get everything so I know the data is there.

Re: How to search for and chart multiple values for different sourcetypes?

lquinn — Thu, 27 Oct 2016 00:46:13 GMT

What is the current search that you are using?

Re: How to search for and chart multiple values for different sourcetypes?

lguinn2 — Thu, 27 Oct 2016 01:17:51 GMT

Seems like this would be a start:

(sourcetype=A field1=*) OR (sourcetype=B field5=*)
| eval newField=coalesce(field1,field5)
| stats values(field2) as field2 values(field3) as field3 values(field4) as field4
        values(field6) as field6 values(field7) as field7 values(field8) as field8 by newField

But you can't chart multi-valued fields, which is what you will get if you use the values function.
Well, I guess you can use the chart command, but you can't get an actual chart... so I used the stats command.
What exactly do you want to output?

Re: How to search for and chart multiple values for different sourcetypes?

clintla — Thu, 27 Oct 2016 18:09:30 GMT

I'm almost wanting a lookup. 2 sources that I'd like to combine into 1 source really.

so field1 & field5 I want to search (those 2 fields have the same list of items). So if I search field1. I want to find those all those fields in both sourcetypes.

Re: How to search for and chart multiple values for different sourcetypes?

clintla — Thu, 27 Oct 2016 23:26:30 GMT

The stats command works.. but due to one sourcetype has multi instances & the other has 1, they don't lineup.

I ended up doing panels w/ a drill downs that worked exceedingly well. Lisa, I think you usually come to the rescue on my questions & you did again (the answer was right but it got me going to an even better answer) ... as always.. thanks for the assistance.