Alerting

how should extract data from 2 logs with some logic? can someone help on this..

sunil04mca
Explorer

Table 1 -Student_id       Student_name         Address

                 101                      john                               Bang
                 105                     han                                 Singa 

                  102                   vish                                 India

                  103                   ram                                 Lond

Table 2 - Student_name    Status    marks
students are attempting for exams multiple times , need to extract only failed student details, can any one help


Student_name    Status   marks

john                               fail        30

han                               fail        10

ram                               fail        20

vish                               Pass        50

han                               Pass        90

ram                               Pass        50

 

 

The output should as below after combining  data from both logs  -  as ram as passed in second attempt should not display

Student_id   Address   Student_name    Status   marks 

101                  Bang           john                               fail        30

105                  Singa           han                               fail        10

Labels (1)
Tags (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust
... search to gather entries from both sources e.g. index=Table1 OR index=Table2
| stats values(Student_Id) as Student_Id, values(Address) as Address, values(Status) as Status, values(marks) as marks by Student_name
| eval failed=if(isnull(mvfind(Status,"Pass")),"fail", "Pass")
| where failed="fail"
| table Student_id, Address, Student_name, Status, marks

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust
... search to gather entries from both sources e.g. index=Table1 OR index=Table2
| stats values(Student_Id) as Student_Id, values(Address) as Address, values(Status) as Status, values(marks) as marks by Student_name
| eval failed=if(isnull(mvfind(Status,"Pass")),"fail", "Pass")
| where failed="fail"
| table Student_id, Address, Student_name, Status, marks
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...