Archive

Can i refer to two sources which belong to same sourcetype & index and create a search?

Path Finder

I have two excels, one of which contains the time and ticket number and the other excel has ticket number and UserCountry. I have to now create a panel which displays ticket number and UserCountry for only the tickets that were raised during the after hours that is between 5.p.m and 7.a.m(next morning).

0 Karma

Splunk Employee
Splunk Employee

Try using a join.

index=yourindex sourcetype=yoursourcetype source=source1
| join ticketnumber 
    [ search index=yourindex sourcetype=yoursourcetype source=source2
    | fields ticketnumber country] 
| table _time ticketnumber country
0 Karma

SplunkTrust
SplunkTrust

How are these excel file data available in Splunk, as lookup table file OR indexed data?

0 Karma