- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Compare three data sources
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Compare three data sources
Hello
I have three sources I should compare fields. Lets say index =A index=B and index=C. All the three sources have a unique field D. I should compare values that are in index B and index C to be present in index=A if index A has values other than that of index B & C then I should get a result as unauthorized.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If D is the transaction ID to correlate the same event in three indexes then you can try
index=A OR index=B OR index=C <Add your Base Search Filter cirteria/s>
| stats count as EventCount values(index) as MatchedIndexes min(_time) as MinTime max(_time) as MaxTime by D
| search MatchedIndexes=A AND MatchedIndexes=B AND MatchedIndexes!=C
| eval durationInSeconds=MaxTime-MinTime
| eval _time=MinTime
| table _time D EventCount MatchedIndexes durationInSeconds
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If field D is always present but may differ in your three indexes you can use D=* in your base search.
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@jarapally Were you able to check the answer?
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please add more details whether field D is to correlate the events or compare the events. Do you have some sample of data from three indexes?
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Compare the values of the field D which is a unique bank transaction.. Index B and Index C have values of field D that are present in Index A. the transaction ID's that are present in both Index B and Index C should be present in Index A if not it is flagged as unauthorized.
Index A -Event
Message sent: {A:xxxxx}{B:3XXXXXN}{C:{xxxx}{D:xxxxxx}}{E: :xxxxxxyyyyyyyy}}"
Index B Event:
02-20-2017 03:34:07 INFO XXXXXXXXX message: {A:AXXX00}{B:XXXXN}{C:{XXXX}{D:xxxxxxxx}}{E:
xxxxxxxxxxxxxxx
-}
Index C Event
"{A:XX0000000000}{B:IXXXXN}{C:{D:xxxxxxx}}{E:
:xxxxxxxxxxxxxxxxxx
}
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
Adoption of RUM and APM at Splunk
