All Apps and Add-ons
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can Splunk Join between 2 Unions?

royimad
Builder
‎04-08-2013 09:11 AM

I have 2 searches with set union and i need to join between those 2 results on a specific column (origine)
can i join between 2 set union search ,if yes how?

Search 1:
| set union [search sourcetype="log4j" | rex field=source "/././(?.)_(?.)(?.).log"
| stats count by SEVERITY_WEBAPP, origine
| where SEVERITY_WEBAPP="ERROR" OR SEVERITY_WEBAPP="FATAL" OR SEVERITY_WEBAPP="WARN" | rename SEVERITY_WEBAPP as SEVERITY]
[search source="/home/splunk/app4_error_core.log" | rex field=source "/././(?.)(?.)_(?.).log" | stats count by SEVERITY_CORE , origine
| where SEVERITY_CORE="ERROR" OR SEVERITY_CORE="FATAL" OR SEVERITY_CORE="WARN" | rename SEVERITY_CORE as SEVERITY ]

Search 2:
| set union [search sourcetype="log4j" | rex field=source "/././(?.)_(?.)(?.).log"
| top limit=1 COMPONENTS_WEB by SEVERITY_WEBAPP, origine
| where SEVERITY_WEBAPP="ERROR" OR SEVERITY_WEBAPP="FATAL" OR SEVERITY_WEBAPP="WARN" | rename SEVERITY_WEBAPP as SEVERITY | rename COMPONENTS_WEB as COMPONENTS]
[search source="/home/splunk/app4_error_core.log" | rex field=source "/././(?.)(?.)_(?.).log" | top limit=1 COMPONENTS_CORE by SEVERITY_CORE , origine
| where SEVERITY_CORE="ERROR" OR SEVERITY_CORE="FATAL" OR SEVERITY_CORE="WARN" | rename SEVERITY_CORE as SEVERITY | rename COMPONENTS_CORE as COMPONENTS]

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎04-08-2013 09:37 AM

Sure:

| set union [stats count | eval foo = 1] [stats count | eval foo = 1] | join count [set union [stats count | eval bar = 1] [stats count | eval bar = 1]]

View solution in original post

0 Karma
Reply
Solved! Jump to solution

royimad
Builder
‎04-08-2013 09:41 AM

The Solution is then:

| set union [search sourcetype="log4j" | rex field=source "/././(?.)_(?.)(?.).log"
| stats count by SEVERITY_WEBAPP, origine
| where SEVERITY_WEBAPP="ERROR" OR SEVERITY_WEBAPP="FATAL" OR SEVERITY_WEBAPP="WARN" | rename SEVERITY_WEBAPP as SEVERITY]
[search source="/home/splunk/app4_error_core.log" | rex field=source "/././(?.)(?.)_(?.).log" | stats count by SEVERITY_CORE , origine
| where SEVERITY_CORE="ERROR" OR SEVERITY_CORE="FATAL" OR SEVERITY_CORE="WARN" | rename SEVERITY_CORE as SEVERITY ]

| JOIN left outer origine,SEVERITY

[ set union [search sourcetype="log4j" | rex field=source "/././(?.)_(?.)(?.).log"
| top limit=1 COMPONENTS_WEB by SEVERITY_WEBAPP, origine
| where SEVERITY_WEBAPP="ERROR" OR SEVERITY_WEBAPP="FATAL" OR SEVERITY_WEBAPP="WARN" | rename SEVERITY_WEBAPP as SEVERITY | rename COMPONENTS_WEB as "TOP COMPONENTS"]
[search source="/home/splunk/app4_error_core.log" | rex field=source "/././(?.)(?.)_(?.).log" | top limit=1 COMPONENTS_CORE by SEVERITY_CORE , origine
| where SEVERITY_CORE="ERROR" OR SEVERITY_CORE="FATAL" OR SEVERITY_CORE="WARN" | rename SEVERITY_CORE as SEVERITY | rename COMPONENTS_CORE as "TOP COMPONENTS"] ]

0 Karma
Reply
Solved! Jump to solution

royimad
Builder
‎04-08-2013 09:50 AM

Thanks dude!

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎04-08-2013 09:48 AM

A more general thought, you may be able to pull the where SEVERITY_WEBAPP=somethingsomething part into the main searches, potentially improving performance. The earlier you can let splunk ignore events the less it needs to load off the disks and process.

0 Karma
Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎04-08-2013 09:37 AM

Sure:

| set union [stats count | eval foo = 1] [stats count | eval foo = 1] | join count [set union [stats count | eval bar = 1] [stats count | eval bar = 1]]
0 Karma
Reply
Get Updates on the Splunk Community!

Uncovering Multi-Account Fraud with Splunk Banking Analytics

Last month, I met with a Senior Fraud Analyst at a nationally recognized bank to discuss their recent success ...

Secure Your Future: A Deep Dive into the Compliance and Security Enhancements for the ...

What has been announced?  In the blog, “Preparing your Splunk Environment for OpensSSL3,”we announced the ...

New This Month in Splunk Observability Cloud - Synthetic Monitoring updates, UI ...

This month, we’re delivering several platform, infrastructure, application and digital experience monitoring ...
Top