Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to correlate data between two different sourcetypes when one is in JSON format?

dwong2
New Member
‎04-25-2018 02:17 PM

I have one index and two sourcetypes. I want to be able to count the actions from sourcetypeA and correlate the data from sourcetypeB. SourcetypeB however is in JSON format.

**sourcetypeA:**
  accountId: 12345678       
       **action:** Enter        
       assetId: 7a8b9c      
       dateTime: 2018-04-21T20:32:52.295348Z        
       deviceID: abcdefgh       
       **publishId:** 63600U        
       **tile:** Tile1          

**sourcetypeB:**             
    dateTime: 2018-04-21T19:44:41.3524516Z      
       **publishId**: 63600U        
       published: { [-] 
         Background: {  [+] 
         }      
         Condition: {   [+] 
         }      
         EditBy: charlie        
         EditTime: 2018-04-15T19:43:58.1671071Z     
         Id: 6      
         Info: {    [+] 
         }      
         PublishBy: charlie     
         PublishTime: 2018-04-15T19:44:41.3524516Z      
         ScheduleTime: 2018-04-15T19:50:00Z     
         Template: {    [+] 
         }      
         Tiles: [   [-] 
           {    [+] 
           }    
           {    [+] 
           }    
           {    [-] 
             Condition: {   [+] 
             }      
             Id: 2      
             **Name:** Tile1        
             **Subscribed:** {  [-] 
               Images: [    [+] 
               ]        
               Live: {  [+] 
               }        
               Text: [  [-] 
                 Tile1Text  

               ]        
               **TileTypeIndicator**: category      
               }        
             **Unsubscribed**: {    [-] 
               Images: [    [+]

I'm trying to join (don't know if that is the right word used in SPL?) on "publishId" between the two sourcetypes.
Then count the number of "tiles" from sourcetypeA while referencing the related information from sourcetypeB?
i.e. Tile1 is Tile1Text, Tile2 is Tile2Text, Tile3 is Tile3Text, etc.

sourceytypeA has the data for how many times "tile" is logged. i.e. Tile1
sourcetypeB has the information of what Tile1 is referenced to. i.e. Tile1Text
Then sort between subscribed and unsubscribed.

| rename published.Tiles{}.Name AS Name, published.Tiles{}.Subscribed.Text{} as Text

0 Karma
Reply

David_Naylor
Path Finder
‎04-25-2018 07:59 PM

This probably isn't the answer, but hopefully you can run with it.

Something along the lines of..

sourcetype=sourcetypeA
| stats values(*) as * by publishId
| join publishId type=left
[| search sourcetypeB
| spath
| (Do the field manipulation/extraction you want here, might have to use rex, eval, foreach or a combination of the 3)
| table fieldyoucareabout, publishId

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

A few months ago, we released Splunk Enterprise Security 8.0 for our cloud customers. Today, we are excited to ...

Logs to Metrics

Logs and Metrics Logs are generally unstructured text or structured events emitted by applications and written ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...