Solved: Re: Creating a comparison report

mahbs · ‎01-08-2018

Hi,

I'm trying to create report, where I am extracting data from two different sources. This data being extracted from both sources share the same item number value. So the structure is something like this:

ITEM | src1 Field 1 | src1 Field 2 | src2 Field 1 | src2 Field 2
11111 0 0 0 0
12121 8 8 8 8
13222 7 7 7 7

Essentially, what I want to do is extract data from both sources for the relevant fields for a specific ITEM.

Can someone suggest what I can do to achieve this?

EDIT:
Apologies, I haven't been able to seperate the values for each fields. Basically, Each src field has only on Integer value.

mayurr98 · ‎01-08-2018

Hey

If you have different field name for both sources then try this:

source=source1 OR source=source2 ITEM=<item_number> | stats values(src1_field1) as "src1_field1"  values(src1_field2) as "src1_field2"  values(src2_field1) as "src2_field1" values(src2_field2) as "src2_field2" by ITEM

I hope this helps you!

View solution in original post

mayurr98 · ‎01-08-2018

Hey

If you have different field name for both sources then try this:

source=source1 OR source=source2 ITEM=<item_number> | stats values(src1_field1) as "src1_field1"  values(src1_field2) as "src1_field2"  values(src2_field1) as "src2_field1" values(src2_field2) as "src2_field2" by ITEM

I hope this helps you!

mayurr98 · ‎01-08-2018

Also for fast result you should write

index=export14 ITEM=$item_number$". sourcetype=csv | stats values(src1_field1) as field1 values(src1_field2) as field2 BY ITEM | rename ITEM as item_number | map search = "search index=export8 sourcetype=csv src2_item=$item_number$" | stats values(src2_field1) as field1 values(src2_field2) as field2 BY src2_item| rename src_item as item_number

mahbs · ‎01-08-2018

Hi @mayurr98,

Quick question, what does ITEM= do? I understand with the others, you're displaying the values of the fields according to ITEM.

mahbs · ‎01-08-2018

@mayurr98,

Apologies, I should have mentioned, the fields from the two different sources will have the same name.

mayurr98 · ‎01-08-2018

Try this then:

 index=<your_index> source=source1 ITEM=<item_number> field1=* field2=* | stats values(field1) as "src1_field1"  values(field2) as "src1_field2"  by ITEM | join ITEM [search index=<your_index> source=source2 ITEM=<item_number> field1=* field2=* | stats values(field1) as "src2_field1"  values(field2) as "src2_field2"  by ITEM]

so your output will be
ITEM src1_field1 src1_field2 src2_field1 src2_field2
1111 0 0 0 0
2222 1 1 1 1

Let me know if this works!

mahbs · ‎01-08-2018

Will do! Thanks for your speedy response @mayurrr98! 🙂

Creating a comparison report

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation