Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Association same field and of sourcetype different

RichPierre
Engager
‎03-31-2014 12:33 PM

Good evening,
I have a question:
I have a sourcetype A with a field "ip" and a "name"
I have a sourcetype B with a field "ip" and a "name"
I shall like knowing if you know how to associate the identical fields at the level of the ip and whose name is different.
Knowing that I have no access to the limit.config file and that every sourcetype has more than 70 000 fields.

Cordially

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎03-31-2014 01:19 PM

As a first jab, take a look at this:

sourcetype=A OR sourcetype=B | stats values(name) as names dc(sourcetype) as sourcetypes by ip | where sourcetypes>1

Whether that's anywhere near what you're looking for depends on what you're looking for.

Reply

martin_mueller
SplunkTrust
SplunkTrust
‎04-01-2014 12:34 AM

To also add the date into the stats and filter only those with differing names you can do this:

sourcetype=A OR sourcetype=B | stats values(name) as names dc(sourcetypes) as sourcetypes by ip date | where sourcetypes>1 AND mvcount(names)>1
0 Karma
Reply

RichPierre
Engager
‎04-01-2014 12:16 AM

It's true, that finally it is simple. But I had badly analyzed the thing. Indeed, I make a request accelerated to get back the information.
I thus find myself with this :
Ip | name | date | sourcetype
1. 192.168.1.45 max 2014/03/05 A
2. 192.1681.1.89 bob 2014/03/05 A
3. 192.168..45 john 2014/03/05 B
4. 192.168.1.89 bob 2014/03/05 B

I want the people who have same Ip but who the same day have same no same sourcetype and name. Is it possible? Cordially.

0 Karma
Reply

somesoni2
Revered Legend
‎03-31-2014 12:49 PM

What kind of association you're looking for? What should be the final output from these two sourcetype? You can use join for some requirements.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...