Getting Data In

Association same field and of sourcetype different

Engager

Good evening,
I have a question:
I have a sourcetype A with a field "ip" and a "name"
I have a sourcetype B with a field "ip" and a "name"
I shall like knowing if you know how to associate the identical fields at the level of the ip and whose name is different.
Knowing that I have no access to the limit.config file and that every sourcetype has more than 70 000 fields.

Cordially

0 Karma

SplunkTrust
SplunkTrust

As a first jab, take a look at this:

sourcetype=A OR sourcetype=B | stats values(name) as names dc(sourcetype) as sourcetypes by ip | where sourcetypes>1

Whether that's anywhere near what you're looking for depends on what you're looking for.

SplunkTrust
SplunkTrust

To also add the date into the stats and filter only those with differing names you can do this:

sourcetype=A OR sourcetype=B | stats values(name) as names dc(sourcetypes) as sourcetypes by ip date | where sourcetypes>1 AND mvcount(names)>1
0 Karma

Engager

It's true, that finally it is simple. But I had badly analyzed the thing. Indeed, I make a request accelerated to get back the information.
I thus find myself with this :
Ip | name | date | sourcetype
1. 192.168.1.45 max 2014/03/05 A
2. 192.1681.1.89 bob 2014/03/05 A
3. 192.168..45 john 2014/03/05 B
4. 192.168.1.89 bob 2014/03/05 B

I want the people who have same Ip but who the same day have same no same sourcetype and name. Is it possible? Cordially.

0 Karma

Revered Legend

What kind of association you're looking for? What should be the final output from these two sourcetype? You can use join for some requirements.

0 Karma