Are you a member of the Splunk Community?
- Find Answers
- :
- Splunk Platform
- :
- Splunk Enterprise
- :
- Re: comparing field values across sources/indexes
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have two different datasets as follows:
dataset A - there is a field called TicketNo
dataset B - there are two fields as follows:
DESCRIPTION - a text field that sometimes just contains ticket number but sometimes it also includes ticket number and other information in it.
EFFORT - tracks the number of hours spent resolving the ticket.
For each ticket X in dataset A, I need to find all corresponding records in dataset B if the DESCRIPTION contains the ticket number X. If there is a match, grab the EFFORT.
Example:
dataset A ->
TicketNumber
T1
T2
T30
dataset B ->
DESCRIPTION EFFORT
T1 2
T20 1
T1 3
T2 1
The result I expect is this..
For ticket T1 found in dataset A, two records in dataset B are found and the total effort is 5.
For ticket T2 found in dataset A, one record in dataset B is found and the corresponding effort is 1.
For ticket T30 found in dataset A, no matches found in B.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi gdang,
there are two ways:
the more efficient is to extract TicketNo from Description of DatasetB using a regex (if you share some example I can help you to create it) and use this value to filter TicketNos of datasetA, something like this:
your_DatasetA [ search your_DatasetB | rex field=Description "your_regex" | fields TicketNo ]
| ....
The second way (less efficient) is to use asterisks in search
your_DatasetB [ search your_DatasetA | eval Description="*"+TicketNo+"*" | fields Description
| ....
(I'm not sure that the second one solves your problem, but I share it)
Bye.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here is what you need to do :
Split description effort field into 2 fields, having the ticket number and effort, you will have to use regex or sub string the ticket number and effort
Now have a query , something like this
index="dataset a" | chart count by ticket number | join _ticket number [search index="dataset b"| chart sum(effort) by ticket number]
you will get something like this:
Ticket number , count , sum(effort)
now, a final tuning:
index="dataset a" | chart count by ticket number | join _ticket number [search index="dataset b"| chart sum(effort) by ticket number] | fields Ticket number,sum(effort)| rename sum(effort) AS Effort
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi gdang,
there are two ways:
the more efficient is to extract TicketNo from Description of DatasetB using a regex (if you share some example I can help you to create it) and use this value to filter TicketNos of datasetA, something like this:
your_DatasetA [ search your_DatasetB | rex field=Description "your_regex" | fields TicketNo ]
| ....
The second way (less efficient) is to use asterisks in search
your_DatasetB [ search your_DatasetA | eval Description="*"+TicketNo+"*" | fields Description
| ....
(I'm not sure that the second one solves your problem, but I share it)
Bye.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi cusello, the approaches you identified worked. thank you much!
Good Sourcetype Naming
See your relevant APM services, dashboards, and alerts in one place with the updated ...
Splunk App for Anomaly Detection End of Life Announcement
