Re: search same requestid from different sources a...

diag · ‎05-28-2018

I don;t know what's eval command I need to here but I like to make SPL like before

sourcetype A , field_a(requestid) field_a2 , field_a3 ,field_a4

sourcetype B, field_b(requestid) field_b2, field_b3, filed_b4

(what kind of eval or join i need to use here ) ?????

where field_a(requestid)=field_b(requestid)

table field_a(requestid) field_b(requestid) field_a3 ,field_a4 ,filed_b4

kamlesh_vaghela · ‎05-28-2018

Hi @diag ,

Can you please try following search?

(sourcetype=A OR sourcetype=B) (field_a=* OR field_b=*)
| eval requestid=if(isnotnull(field_a),field_a,field_b) 
| stats latest(field_a) as field_a latest(field_b) as field_b latest(field_a3) as field_a3, latest(field_a4) as field_a4,latest(field_b4) as field_b4 by requestid 
| where field_a = field_b

This is my sample search

| makeresults 
| eval sourcetype="A",field_a="1,2,3,4",field_a2="a2",field_a3="a3", field_a4="a4" 
| eval field_a=split(field_a,",") 
| mvexpand field_a 
| append 
    [| makeresults 
    | eval sourcetype="B",field_b="1,2,3",field_b2="b2",field_b3="b3", field_b4="b4" 
    | eval field_b=split(field_b,",") 
    | mvexpand field_b] 
| eval comment="Above search is for data generation. Use from below search"
| search (sourcetype=A OR sourcetype=B) (field_a=* OR field_b=*)
| eval requestid=if(isnotnull(field_a),field_a,field_b) 
| stats latest(field_a) as field_a latest(field_b) as field_b latest(field_a3) as field_a3, latest(field_a4) as field_a4,latest(field_b4) as field_b4 by requestid 
| where field_a = field_b

Thanks

HiroshiSatoh · ‎05-28-2018

Try this!

(sourcetype=sourcetype A OR  sourcetype=sourcetype B)
|eval key=if(sourcetype=sourcetype A, field_a, field_b)
|stats earliest(*) as * by key
|table field_a,field_b,field_a3 ,field_a4 ,filed_b4

search same requestid from different sources and fileds

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!