Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Association same field and of sourcetype different

RichPierre
Engager
‎03-31-2014 12:33 PM

Good evening,
I have a question:
I have a sourcetype A with a field "ip" and a "name"
I have a sourcetype B with a field "ip" and a "name"
I shall like knowing if you know how to associate the identical fields at the level of the ip and whose name is different.
Knowing that I have no access to the limit.config file and that every sourcetype has more than 70 000 fields.

Cordially

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎03-31-2014 01:19 PM

As a first jab, take a look at this:

sourcetype=A OR sourcetype=B | stats values(name) as names dc(sourcetype) as sourcetypes by ip | where sourcetypes>1

Whether that's anywhere near what you're looking for depends on what you're looking for.

Reply

martin_mueller
SplunkTrust
SplunkTrust
‎04-01-2014 12:34 AM

To also add the date into the stats and filter only those with differing names you can do this:

sourcetype=A OR sourcetype=B | stats values(name) as names dc(sourcetypes) as sourcetypes by ip date | where sourcetypes>1 AND mvcount(names)>1
0 Karma
Reply

RichPierre
Engager
‎04-01-2014 12:16 AM

It's true, that finally it is simple. But I had badly analyzed the thing. Indeed, I make a request accelerated to get back the information.
I thus find myself with this :
Ip | name | date | sourcetype
1. 192.168.1.45 max 2014/03/05 A
2. 192.1681.1.89 bob 2014/03/05 A
3. 192.168..45 john 2014/03/05 B
4. 192.168.1.89 bob 2014/03/05 B

I want the people who have same Ip but who the same day have same no same sourcetype and name. Is it possible? Cordially.

0 Karma
Reply

somesoni2
Revered Legend
‎03-31-2014 12:49 PM

What kind of association you're looking for? What should be the final output from these two sourcetype? You can use join for some requirements.

0 Karma
Reply
Get Updates on the Splunk Community!

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...