Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Help in Splunk query urgent plz - merge results in 2 deferent source and same index csv files

abedcx
Explorer
‎01-12-2024 03:46 AM

Dears,

Need assistance with a Splunk query to retrieve data from two sources: source X and source Y. I want to match records where child_file_id in source Y matches file_id in source X and retrieve the combined data. How can I achieve this?

 

So, in my source X, specifically Stealer_* there are records, each of which includes a file_id, which is illustrated as 3382 in my example.

 

Screenshot_1306.png 

So, when I search for file_id, I find 6 events, all structured similarly but with different values, all sharing the same file_id.

In another source, I have data related to source X. To establish connections between them, I use child_file_id as a relational identifier, similar to a database key.

As depicted in the screenshot below, you can see that the child_file_id corresponds to the same file_id in the first source."

 
 
 

Screenshot_1307.png

 

How can I construct a Splunk query to achieve this? Specifically, I want to retrieve the entire result set in a single query and table.

In this query, the data from source 2 (child_file_id) should be duplicated in each event from the first source, creating a unified result.

 

Final output 

something like this 

srouce_field1,srouce_field1,srouce_field1,srouce_field1,srouce_field1,srouce_field2,srouce_field2

BR.

Labels (3)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎01-12-2024 04:18 AM

Here is one way to approach it

<search first index> [search <second index> | rename child_file_id as file_id | dedup file_id]

Here is another

<first index> OR <second index>
| rename child_file_id as file_id
| stats values(*) as * by file_id

Given your vague requirements and lack of sample events, hopefully this will still match what you are attempting to do

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...