All Apps and Add-ons

Can Splunk Join between 2 Unions?

royimad
Builder

I have 2 searches with set union and i need to join between those 2 results on a specific column (origine)
can i join between 2 set union search ,if yes how?

Search 1:
| set union [search sourcetype="log4j" | rex field=source "/././(?.)_(?.)(?.).log"
| stats count by SEVERITY_WEBAPP, origine
| where SEVERITY_WEBAPP="ERROR" OR SEVERITY_WEBAPP="FATAL" OR SEVERITY_WEBAPP="WARN" | rename SEVERITY_WEBAPP as SEVERITY]
[search source="/home/splunk/app4_error_core.log" | rex field=source "/.
/./(?.)
(?.)_(?.).log" | stats count by SEVERITY_CORE , origine
| where SEVERITY_CORE="ERROR" OR SEVERITY_CORE="FATAL" OR SEVERITY_CORE="WARN" | rename SEVERITY_CORE as SEVERITY ]

Search 2:
| set union [search sourcetype="log4j" | rex field=source "/././(?.)_(?.)(?.).log"
| top limit=1 COMPONENTS_WEB by SEVERITY_WEBAPP, origine
| where SEVERITY_WEBAPP="ERROR" OR SEVERITY_WEBAPP="FATAL" OR SEVERITY_WEBAPP="WARN" | rename SEVERITY_WEBAPP as SEVERITY | rename COMPONENTS_WEB as COMPONENTS]
[search source="/home/splunk/app4_error_core.log" | rex field=source "/.
/./(?.)
(?.)_(?.).log" | top limit=1 COMPONENTS_CORE by SEVERITY_CORE , origine
| where SEVERITY_CORE="ERROR" OR SEVERITY_CORE="FATAL" OR SEVERITY_CORE="WARN" | rename SEVERITY_CORE as SEVERITY | rename COMPONENTS_CORE as COMPONENTS]

0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

Sure:

| set union [stats count | eval foo = 1] [stats count | eval foo = 1] | join count [set union [stats count | eval bar = 1] [stats count | eval bar = 1]]

View solution in original post

0 Karma

royimad
Builder

The Solution is then:

| set union [search sourcetype="log4j" | rex field=source "/././(?.)_(?.)(?.).log"
| stats count by SEVERITY_WEBAPP, origine
| where SEVERITY_WEBAPP="ERROR" OR SEVERITY_WEBAPP="FATAL" OR SEVERITY_WEBAPP="WARN" | rename SEVERITY_WEBAPP as SEVERITY]
[search source="/home/splunk/app4_error_core.log" | rex field=source "/.
/./(?.)
(?.)_(?.).log" | stats count by SEVERITY_CORE , origine
| where SEVERITY_CORE="ERROR" OR SEVERITY_CORE="FATAL" OR SEVERITY_CORE="WARN" | rename SEVERITY_CORE as SEVERITY ]

| JOIN left outer origine,SEVERITY

[ set union [search sourcetype="log4j" | rex field=source "/././(?.)_(?.)(?.).log"
| top limit=1 COMPONENTS_WEB by SEVERITY_WEBAPP, origine
| where SEVERITY_WEBAPP="ERROR" OR SEVERITY_WEBAPP="FATAL" OR SEVERITY_WEBAPP="WARN" | rename SEVERITY_WEBAPP as SEVERITY | rename COMPONENTS_WEB as "TOP COMPONENTS"]
[search source="/home/splunk/app4_error_core.log" | rex field=source "/.
/./(?.)
(?.)_(?.).log" | top limit=1 COMPONENTS_CORE by SEVERITY_CORE , origine
| where SEVERITY_CORE="ERROR" OR SEVERITY_CORE="FATAL" OR SEVERITY_CORE="WARN" | rename SEVERITY_CORE as SEVERITY | rename COMPONENTS_CORE as "TOP COMPONENTS"] ]

0 Karma

royimad
Builder

Thanks dude!

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

A more general thought, you may be able to pull the where SEVERITY_WEBAPP=somethingsomething part into the main searches, potentially improving performance. The earlier you can let splunk ignore events the less it needs to load off the disks and process.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Sure:

| set union [stats count | eval foo = 1] [stats count | eval foo = 1] | join count [set union [stats count | eval bar = 1] [stats count | eval bar = 1]]
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...