Re: How do you combine two different searches with...

edwardryan · ‎11-20-2018

Hello,

I am attempting to use Splunk to search two log files that hold activity for two platforms of an application "IOS" & "Android".
The log file for each platform unfortunately uses a different identifier for login behavior.

I would like to combine both searches into one.

Currently each of my searches look like the following (some filters are the same)

> index=I1 source=S1 sourcetype=ST1 host=H1 "searchCriteria1"earliest=-1hr latest=now | timechart span=5m count by host
> index=I2 source=S2 sourcetype=ST1 host=H1 "searchCriteria2" earliest=-1hr latest=now | timechart span=5m count by host

I would like to have the result displayed as follows; total, android and ios.

I am using the JAVA API to splunk, so as long as I can differentiate Android from IOS on the response, that is ok.

Time | Total Logins | Android Logins | IOS Logins
01:00 | 10 | 8 | 2
02:00 | 15 | 10 | 5

I have looked into "multiSearch" and "subsearches" but I am new to using Splunk and do not know exactly what I am trying to do.

Any help is greatly appreciated!

Thank you,
Anon

EDIT: Considering I can differentiate between each platform via "source", the following query does produce a correct result, although I'm unsure if its the correct way. Is there a better way to obtain the following:

(index=jboss source=/var/log/jboss/server.log sourcetype=jboss:server:log host="lblux31*" "NewState showDashboard PreviousState checkIfActiveCustomer") 
OR
(index=jboss-mobile source=/var/log/jboss-mobile/server.log sourcetype=jboss:server:log host="lblux31*" "[EVENT]login") earliest=-1hr latest=now
| bucket _time span=5m 
| stats count by _time, source, host 
| sort - Time

edwardryan · ‎11-22-2018

I found the following worked for me.
Keypoints being the use of "OR" to separate the queries and "bucket" to divide the data

 (index=jboss source=/var/log/jboss/server.log sourcetype=jboss:server:log host="lblux31*" "NewState showDashboard PreviousState checkIfActiveCustomer") 
 OR
 (index=jboss-mobile source=/var/log/jboss-mobile/server.log sourcetype=jboss:server:log host="lblux31*" "[EVENT]login") earliest=-1hr latest=now
 | bucket _time span=5m 
 | stats count by _time, source, host 
 | sort - Time

skoelpin · ‎11-26-2018

Yes this was shown to you as a solution.. Not sure why you're taking credit for solutions others provided, but might as well close it out....

woodcock · ‎11-21-2018

The solution in your update is A-OK.

richgalloway · ‎11-20-2018

Looks like you've solved your problem. The only change I'd make is | bucket span=1h _time.

Put your edit into an answer and accept it.

---
If this reply helps you, Karma would be appreciated.

skoelpin · ‎11-21-2018

Sometimes I ask myself why do I even contribute when most users don't even bother to accept the answer after using the solution provided

edwardryan · ‎11-21-2018

@skoelpin No one has posted a solution that I have used yet

skoelpin · ‎11-21-2018

You're question was how to combine 2 different searches with different sources. You have 2 solutions which you used and said it works.. You have not responded back or clarified what doesn't work.. What didn't get answered??

edwardryan · ‎11-21-2018

@skoelpin can you relax? The solution I'm using at the moment is the one I created. The first solution you posted does not work. The second solution let me know how to use the eval function which I am using. Why are you so agitated? I did not respond because like you I'm in work and didn't have time to respond within 24 hours... fucking hell

edwardryan · ‎11-21-2018

@richgalloway I need the data structured at small intervals, that is why I was using span=5m over an hour period. Mainly because I would like to chart the output

somesoni2 · ‎11-20-2018

Try like this (check eval command to ensure the mapping of source is correct)

index=jboss source=/var/log/jboss/server.log sourcetype=jboss:server:log host="lblux31*" "NewState showDashboard PreviousState checkIfActiveCustomer") 
 OR
 (index=jboss-mobile source=/var/log/jboss-mobile/server.log sourcetype=jboss:server:log host="lblux31*" "[EVENT]login") earliest=-1hr latest=now
| eval type=if(source="/var/log/jboss/server.log","Android","IOS")
 | timechart span=5m count by type
| eval "Total Logins"=Android + IOS

edwardryan · ‎11-21-2018

Thanks, the eval command looks useful - I was doing this mapping afterwards using Java, but your solution looks a lot better.

skoelpin · ‎11-20-2018

Try this

(index=I1 source=S1 sourcetype=ST1 host=H1) OR (index=I2 source=S2 sourcetype=ST1 host=H1)
  ("searchCriteria1") OR ( "searchCriteria2")  earliest=-1hr latest=now
| timechart span=5m count by host

edwardryan · ‎11-21-2018

Unfortunately I can't use timechart because I need to groupBy multiple fields. "stats count by" looks to be what I require.

skoelpin · ‎11-21-2018

Then use stats... What's the issue?

(index=I1 source=S1 sourcetype=ST1 host=H1) OR (index=I2 source=S2 sourcetype=ST1 host=H1)
   ("searchCriteria1") OR ( "searchCriteria2")  earliest=-1hr latest=now
| bin _time span=5m
| stats  count by host, <OTHER FIELD>

edwardryan · ‎11-21-2018

There is no issue, I am using stats. I left a comment to say why I disagreed with your solution, would you rather I didnt comment at all?

I am using stats, as seen by initial edit in the question - BEFORE you commented this answer

skoelpin · ‎11-21-2018

So what part of your original question did we not answer?

How do you combine two different searches with two different sources?

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?