Getting Data In

Filter users who appear in 2 different sourcetypes

Motivator

Hi,

I've got 2 sourcetypes A and B. The User X can appear in both sources.
I want to achieve an analysis on source A, for all players who appear in both sources. So I need to create a new field in source A with some kind of a flag for these users.
Or perhaps creating a combined filter at the beginning of the search?

How can I achieve this?

Thanks in advance

Heinz

Tags (2)
0 Karma
1 Solution

SplunkTrust
SplunkTrust

Little faster way:

sourcetype=A [search sourcetype=B | stats cout by user| fields user] | ...

View solution in original post

Motivator

Hi,

thank's a lot for your answers, both ways are working fine!

Is it also possible to combine this filter with an inputlookup? The field user is also available in this lookupfile. So sourcetype A would be a lookupfile.

I tried out this, without success:

|inputlookup file.csv [search sourcetype=B | stats count by user| fields user] | ...

Best

Heinz

0 Karma

Motivator

Thanks, this approach seems to work.
Just to get sure, that I understand what I'm doing here:

[search sourcetype=B ...] extracts a list of all users in sourcetype B.
This list is used as a search filter again, to keep the rows of the lookup, where these users appear. Everything else is removed from the lookup (user who do not appear in source B)

0 Karma

Communicator

inputlookup loads the lookup file as results. To do things with those results, you need to pipe it to a command.

Try | inputlookup file.csv | search [search sourcetype=B ...]

SplunkTrust
SplunkTrust

Little faster way:

sourcetype=A [search sourcetype=B | stats cout by user| fields user] | ...

View solution in original post

Legend

If you do a subsearch on sourcetype B and grab all users you find there, you can then use this filter when you search in sourcetype A.

sourcetype=A [search sourcetype=B | dedup user | fields user] | ...