Archive

How to combine outputs from 2 different searches where fields match?

auraria
Explorer

EDIT: Nevermind, I was just being dumb. It seems no matter how I search by field3 value that triggered on field1, field 2 doesn't exist. For some reason I thought it did.

I have an interesting issue I'm trying to solve and I've hit a road block at this point.

Basically what I'm trying to accomplish is take the output of search1, append search2, and then match by both by field 3 since it exists in both searches.

Search1 and search2 have the same index, but produces mostly the same fields however there's a few that are not present on one search that the other has and vice versa. Let's call those field1 and field2. EDIT: Field 1 only exists in search1 and Field2 only exists in search2.

This is my current query:

index=s_index1  string field1="value" OR field1="value" OR string  field3!="value" | transaction field3  | append [search index=s_index1 string field2="*" | transaction field3] | transaction field3 | table  _time, field4, field5, field3, field6, field1, field2

This is currently not working to the full effect I'd like, It seems most of the data is there but it's not correct/interpreting it correctly.

I normally use eval to match the two separate fields with the same/or separate data is there a way to use eval in a way to match on searches?

Such as | eval search 1 field3=search 2 field 3 or is there a way to do this that I'm simply missing? Should I be using the join command instead of append? Any help would be greatly appreciated.

Tags (1)
0 Karma
1 Solution

pyro_wood
SplunkTrust
SplunkTrust

Hi auraria,

would the following search work?

(index=s_index1 ((string AND field1="value") OR (field1="value") OR (string AND field3!="value")) OR (search index=s_index1 AND string AND field2="") | transaction field3 | table _time, field4, field5, field3, field6, field1, field2

View solution in original post

0 Karma

pyro_wood
SplunkTrust
SplunkTrust

Hi auraria,

would the following search work?

(index=s_index1 ((string AND field1="value") OR (field1="value") OR (string AND field3!="value")) OR (search index=s_index1 AND string AND field2="") | transaction field3 | table _time, field4, field5, field3, field6, field1, field2

View solution in original post

0 Karma

auraria
Explorer

Nevermind, I was just being dumb. It seems no matter how I search by field3, field 2 doesn't exist.

Thanks for the help though!

0 Karma

auraria
Explorer

I've tried this as well, in a slightly different way(basically removed extra parens). Still didn't get me the results I was interested in.

I'm going to look at the data a bit more closely on boths sides to make sure I'm not missing something obvious.

I'll continue to update the thread as I find out something new.
Thank you!

0 Karma