Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to use same field with same value to get result from two different sourcetype?

titanwss
Explorer
‎10-09-2013 11:55 PM

sample data like followed.

sourcetype A (like access log):

clientip uri_path status other fields....
10.0.0.1 /bar.html 200 ...
10.0.0.2 /admin/ 200 ...

sourcetype B (like security audit log):

clientip uri_path status other fields....
192.168.0.1 /foo.html 403 ...
192.168.1.1 /admin/ 403 ...

These sourcetypes have three same fields. I just want get the result like

clientip uri_path statusB statusA
192.168.1.1 /admin/ 403 200

To find out if uri_path in sourcetype B is existed(200)

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bwooden
Splunk Employee
Splunk Employee
‎10-11-2013 04:20 AM

The append command can be useful in some scenarios.

But generally you'll get better performance (and not be restricted by result limits associated with the append command) if you use one all-encompassing base search.

Using the example in your original question, it would look something like this:

sourcetype=A OR sourcetype=B | eval status{sourcetype}=status | stats count(status*) by clientip uri_path

The status{sourcetype} will actually create distinct fields based on your sourcetype name. In the above example, it would create a field called statusA for events with sourcetype of A and a field called statusB for events having a sourcetype of B. The status* (in the stats command) includes both of those. Using these techniques, we can expand the base search with additional sourcetypes and not have to worry about updating our search downstream to take advantage of that expansion.

View solution in original post

Reply
Solved! Jump to solution
Solution

bwooden
Splunk Employee
Splunk Employee
‎10-11-2013 04:20 AM

The append command can be useful in some scenarios.

But generally you'll get better performance (and not be restricted by result limits associated with the append command) if you use one all-encompassing base search.

Using the example in your original question, it would look something like this:

sourcetype=A OR sourcetype=B | eval status{sourcetype}=status | stats count(status*) by clientip uri_path

The status{sourcetype} will actually create distinct fields based on your sourcetype name. In the above example, it would create a field called statusA for events with sourcetype of A and a field called statusB for events having a sourcetype of B. The status* (in the stats command) includes both of those. Using these techniques, we can expand the base search with additional sourcetypes and not have to worry about updating our search downstream to take advantage of that expansion.

Reply
Solved! Jump to solution

titanwss
Explorer
‎10-11-2013 06:56 PM

The status{sourcetype} seems to be very useful. There must be something wrong in my search. Thanks for telling these techniques.

0 Karma
Reply
Solved! Jump to solution

bwooden
Splunk Employee
Splunk Employee
‎10-11-2013 04:22 AM

reading your original question again, you may actually want this search (replacing count with values) --> sourcetype=A OR sourcetype=B | eval status{sourcetype}=status | stats values(status*) by clientip uri_path

0 Karma
Reply
Solved! Jump to solution

gfuente
Motivator
‎10-10-2013 12:55 AM

Hello

You can get this by several ways, but i think that the best performance would be something like:

sourcetype="A" OR sourcetype="B" | stats values(statusB), values(statusA) by clientip, uri_path

Other way would be using the join command, but i think it is worse from a performance point of view

Regards

Reply
Solved! Jump to solution

titanwss
Explorer
‎10-11-2013 06:32 PM

I did make some mistakes, but I don't know what it is now. Actually yours works well.XD

0 Karma
Reply
Solved! Jump to solution

titanwss
Explorer
‎10-11-2013 02:43 AM

Thanks for your reply. I've tried what you said, but it return nothing. Finally, I use append and distinct_count command to deal with it.

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

Get Operational Insights Quickly with Natural Language on the Splunk Platform

In today’s fast-paced digital world, turning data into actionable insights is essential for success. With ...

Stay Connected: Your Guide to August Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...

Unleash the Power of Splunk MCP and AI, Meet Us at .Conf 2025, and Find Even More New ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
Top