Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

help to join information from 2 different sourcetype

jip31
Motivator
‎10-05-2021 02:38 AM

hi

I need to do a count on the field "titi" which exist in 2 different sourcetype following 2 conditions :

the field "cit" is related to the sourcetype "citrix" and the field "domain" is related to the sourcetype "web"

And "host" exist in both sourcetype

so I am doing something like this but i have no results

index=tutu sourcetype=citrix OR sourcetype=web
| search (cit<="3") AND domain=west
| stats dc(titi) by host

Is it enough to add a "by host" clause for matching the events or do I have to use a join command?

thanks

 

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-05-2021 03:51 AM

As I said, you have a pipeline of events from both sourcetype, your AND condition at this point will not find events which match the criteria - try something like this

index=tutu sourcetype=citrix OR sourcetype=web
| where cit<=3 OR domain=west
| stats values(titi) as titi dc(cit) as cit dc(domain) as domain by host
| where cit>0 AND domain>0
| eval count=mvcount(titi)

View solution in original post

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-05-2021 02:46 AM 
| search (cit<="3") AND domain=west

will find events in the pipeline that match these conditions - given that cit comes from one source type and domain comes from the other, there will be no events that match these conditions at the same time - try changing AND to OR

0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎10-05-2021 03:37 AM

my need is to count only the host that have a cit<3 and a domain=west

so if I replace AND by OR i think i am going to count a host that has a cit<3 or a host that has a domain=west, is it true?

If yes it's not my need, so do I have to use a join command to do that?

 

 

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-05-2021 03:51 AM

As I said, you have a pipeline of events from both sourcetype, your AND condition at this point will not find events which match the criteria - try something like this

index=tutu sourcetype=citrix OR sourcetype=web
| where cit<=3 OR domain=west
| stats values(titi) as titi dc(cit) as cit dc(domain) as domain by host
| where cit>0 AND domain>0
| eval count=mvcount(titi)
0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎10-05-2021 04:10 AM

ok thanks

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...