Getting Data In

How to use same field with same value to get result from two different sourcetype?

titanwss
Explorer

sample data like followed.

sourcetype A (like access log):

clientip uri_path status other fields....
10.0.0.1 /bar.html 200 ...
10.0.0.2 /admin/ 200 ...

sourcetype B (like security audit log):

clientip uri_path status other fields....
192.168.0.1 /foo.html 403 ...
192.168.1.1 /admin/ 403 ...

These sourcetypes have three same fields. I just want get the result like

clientip uri_path statusB statusA
192.168.1.1 /admin/ 403 200


To find out if uri_path in sourcetype B is existed(200)

0 Karma
1 Solution

bwooden
Splunk Employee
Splunk Employee

The append command can be useful in some scenarios.

But generally you'll get better performance (and not be restricted by result limits associated with the append command) if you use one all-encompassing base search.

Using the example in your original question, it would look something like this:

sourcetype=A OR sourcetype=B | eval status{sourcetype}=status | stats count(status*) by clientip uri_path

The status{sourcetype} will actually create distinct fields based on your sourcetype name. In the above example, it would create a field called statusA for events with sourcetype of A and a field called statusB for events having a sourcetype of B. The status* (in the stats command) includes both of those. Using these techniques, we can expand the base search with additional sourcetypes and not have to worry about updating our search downstream to take advantage of that expansion.

View solution in original post

bwooden
Splunk Employee
Splunk Employee

The append command can be useful in some scenarios.

But generally you'll get better performance (and not be restricted by result limits associated with the append command) if you use one all-encompassing base search.

Using the example in your original question, it would look something like this:

sourcetype=A OR sourcetype=B | eval status{sourcetype}=status | stats count(status*) by clientip uri_path

The status{sourcetype} will actually create distinct fields based on your sourcetype name. In the above example, it would create a field called statusA for events with sourcetype of A and a field called statusB for events having a sourcetype of B. The status* (in the stats command) includes both of those. Using these techniques, we can expand the base search with additional sourcetypes and not have to worry about updating our search downstream to take advantage of that expansion.

titanwss
Explorer

The status{sourcetype} seems to be very useful. There must be something wrong in my search. Thanks for telling these techniques.

0 Karma

bwooden
Splunk Employee
Splunk Employee

reading your original question again, you may actually want this search (replacing count with values) --> sourcetype=A OR sourcetype=B | eval status{sourcetype}=status | stats values(status*) by clientip uri_path

0 Karma

gfuente
Motivator

Hello

You can get this by several ways, but i think that the best performance would be something like:

sourcetype="A" OR sourcetype="B" | stats values(statusB), values(statusA) by clientip, uri_path

Other way would be using the join command, but i think it is worse from a performance point of view

Regards

titanwss
Explorer

I did make some mistakes, but I don't know what it is now. Actually yours works well.XD

0 Karma

titanwss
Explorer

Thanks for your reply. I've tried what you said, but it return nothing. Finally, I use append and distinct_count command to deal with it.

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...