All Apps and Add-ons

Can Splunk Join between 2 Unions?

royimad
Builder

I have 2 searches with set union and i need to join between those 2 results on a specific column (origine)
can i join between 2 set union search ,if yes how?

Search 1:
| set union [search sourcetype="log4j" | rex field=source "/././(?.)_(?.)(?.).log"
| stats count by SEVERITY_WEBAPP, origine
| where SEVERITY_WEBAPP="ERROR" OR SEVERITY_WEBAPP="FATAL" OR SEVERITY_WEBAPP="WARN" | rename SEVERITY_WEBAPP as SEVERITY]
[search source="/home/splunk/app4_error_core.log" | rex field=source "/.
/./(?.)
(?.)_(?.).log" | stats count by SEVERITY_CORE , origine
| where SEVERITY_CORE="ERROR" OR SEVERITY_CORE="FATAL" OR SEVERITY_CORE="WARN" | rename SEVERITY_CORE as SEVERITY ]

Search 2:
| set union [search sourcetype="log4j" | rex field=source "/././(?.)_(?.)(?.).log"
| top limit=1 COMPONENTS_WEB by SEVERITY_WEBAPP, origine
| where SEVERITY_WEBAPP="ERROR" OR SEVERITY_WEBAPP="FATAL" OR SEVERITY_WEBAPP="WARN" | rename SEVERITY_WEBAPP as SEVERITY | rename COMPONENTS_WEB as COMPONENTS]
[search source="/home/splunk/app4_error_core.log" | rex field=source "/.
/./(?.)
(?.)_(?.).log" | top limit=1 COMPONENTS_CORE by SEVERITY_CORE , origine
| where SEVERITY_CORE="ERROR" OR SEVERITY_CORE="FATAL" OR SEVERITY_CORE="WARN" | rename SEVERITY_CORE as SEVERITY | rename COMPONENTS_CORE as COMPONENTS]

0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

Sure:

| set union [stats count | eval foo = 1] [stats count | eval foo = 1] | join count [set union [stats count | eval bar = 1] [stats count | eval bar = 1]]

View solution in original post

0 Karma

royimad
Builder

The Solution is then:

| set union [search sourcetype="log4j" | rex field=source "/././(?.)_(?.)(?.).log"
| stats count by SEVERITY_WEBAPP, origine
| where SEVERITY_WEBAPP="ERROR" OR SEVERITY_WEBAPP="FATAL" OR SEVERITY_WEBAPP="WARN" | rename SEVERITY_WEBAPP as SEVERITY]
[search source="/home/splunk/app4_error_core.log" | rex field=source "/.
/./(?.)
(?.)_(?.).log" | stats count by SEVERITY_CORE , origine
| where SEVERITY_CORE="ERROR" OR SEVERITY_CORE="FATAL" OR SEVERITY_CORE="WARN" | rename SEVERITY_CORE as SEVERITY ]

| JOIN left outer origine,SEVERITY

[ set union [search sourcetype="log4j" | rex field=source "/././(?.)_(?.)(?.).log"
| top limit=1 COMPONENTS_WEB by SEVERITY_WEBAPP, origine
| where SEVERITY_WEBAPP="ERROR" OR SEVERITY_WEBAPP="FATAL" OR SEVERITY_WEBAPP="WARN" | rename SEVERITY_WEBAPP as SEVERITY | rename COMPONENTS_WEB as "TOP COMPONENTS"]
[search source="/home/splunk/app4_error_core.log" | rex field=source "/.
/./(?.)
(?.)_(?.).log" | top limit=1 COMPONENTS_CORE by SEVERITY_CORE , origine
| where SEVERITY_CORE="ERROR" OR SEVERITY_CORE="FATAL" OR SEVERITY_CORE="WARN" | rename SEVERITY_CORE as SEVERITY | rename COMPONENTS_CORE as "TOP COMPONENTS"] ]

0 Karma

royimad
Builder

Thanks dude!

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

A more general thought, you may be able to pull the where SEVERITY_WEBAPP=somethingsomething part into the main searches, potentially improving performance. The earlier you can let splunk ignore events the less it needs to load off the disks and process.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Sure:

| set union [stats count | eval foo = 1] [stats count | eval foo = 1] | join count [set union [stats count | eval bar = 1] [stats count | eval bar = 1]]
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...