Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to link fields with different names across sources?

bnash_splunk
Splunk Employee
Splunk Employee
‎04-04-2016 03:53 PM

I have two types of transactions, one coming from a mobile app when a push notification is sent, looks approx like this:

TIMESTAMP="2016-03-29 23:39:01" DDSDKAppEventPushNotificationDelivered Msg=536 UID=101053 DEVICE=galaxys6 IP=XXX

and events from a shopping cart system, where that user has placed an order, that look approx like this:

04/04/2016:15:26:15 TRANSPAYMENT SYSTEM=DD LABEL=1 MERCHANTID=XXX REGISTER=1 LOGIN=125451 TICKET=XXX PAID=YES PAYMETHOD=GIFTCARD CUSTLOYALTY=101053 ITEMS=1 SALE=2.73 DISCTYPE=FLAT DISCAMT=0.0 DISCAPPLIED=0

The CUSTLOYALTY field in the shopping cart is the same data as the UID field from the push notifications (if this was a SQL database, I would join tables on those fields). I have created a field alias for those two fields, "CUSTLOYALTY AS UID".

I've got some simple logic to separate the customers that received a push notification, coming from the mobile app log:

eval PromoRcvd = if (Msg>1,"Yes","No")

But when I try to mix fields from the mobile app log and the shopping cart log, the shopping cart fields (in this case, SALE) are always empty:

table UID,Msg,PromoRcvd,sum(SALE)

I thought I didn't need to explicitly join sources in Splunk in order to search across them?

Reply

MuS
Legend
‎04-04-2016 04:24 PM

Hi bnash [Splunk],

use stats instead of table:

 your base search to get all the events 
 | eval PromoRcvd = if (Msg>1,"Yes","No")
 | stats sum(SALE) AS SALE by UID, Msg, PromoRcvd

Hope this helps ....

cheers, MuS

Reply

bnash_splunk
Splunk Employee
Splunk Employee
‎04-04-2016 04:42 PM

That still leaves the SALE field blank:

index=pos OR index=mobileapp | eval PromoRcvd = if (Msg>1,"Yes","No") | stats sum(SALE) AS SALE by UID, Msg, PromoRcvd

https://www.dropbox.com/s/lxmkqtys6lf7fkp/Screenshot%202016-04-04%2016.42.33.png?dl=0

Did I do something wrong?

0 Karma
Reply

MuS
Legend
‎04-04-2016 04:46 PM

Can you provide some examples for @martin_mueller and I - please ?

0 Karma
Reply

bnash_splunk
Splunk Employee
Splunk Employee
‎04-04-2016 05:08 PM

Sure thing - examples of what? What data do you need?

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎04-04-2016 04:22 PM

For the short version, check out this excellent post by @MuS at http://answers.splunk.com/answers/129424/how-to-compare-fields-over-multiple-sourcetypes-without-joi...

For the long version, check out this excellent talk by @sideview at http://wiki.splunk.com/Virtual_.conf (March 2016).

In your example case, you'd do something like this:

search for datasource1 OR datasource2 | stats values(Msg) as Msg values(PromoRcvd) as PromoRcvd sum(SALE) by UID

The variations are endless.

Reply

bnash_splunk
Splunk Employee
Splunk Employee
‎04-04-2016 04:44 PM

Ok, that does some weird things in the results table but it does look like it linked the fields correctly. But I think it's also creating duplicates in the results?

https://www.dropbox.com/s/l4oghy8kdt3bsch/Screenshot%202016-04-04%2016.43.39.png?dl=0

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎04-04-2016 04:46 PM

Each UID is listed once, looks fine to me.

If you're referring to the Yes-No-mv-field, I guess there are events for those UIDs with both Yes and No values. What that means depends on your data and requirements.

0 Karma
Reply
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...