Solved: Re: how to combine two sources

selvam_sekar · ‎12-27-2023

Hi,

I have below spl query and trying to combine them together. please could you suggest?

Expected count is 13919

spl 1:

index=abc sourcetype=123 source="allocation" TERM("1=1") OR TERM("2=2") TERM("3=C") Sender=aaa
TERM("4=region") | dedup ExecId | stats count

## Results Count = 4698

spl 2:

index=abc sourcetype=123 source=*block* TERM("1=1") OR TERM("2=2") | dedup ExecId | stats count

## Results Count = 9221

isoutamo · ‎12-27-2023

Hi

You should try something like this.

index=abc sourcetype=123 (source="allocation" TERM("1=1") OR TERM("2=2") TERM("3=C") Sender=aaa TERM("4=region")) 
OR 
( source=*block* TERM("1=1") OR TERM("2=2"))
| dedup source ExecId 
| stats count

Just test if dedup is correct for your case.

r. Ismo

View solution in original post

isoutamo · ‎12-27-2023

Hi

You should try something like this.

index=abc sourcetype=123 (source="allocation" TERM("1=1") OR TERM("2=2") TERM("3=C") Sender=aaa TERM("4=region")) 
OR 
( source=*block* TERM("1=1") OR TERM("2=2"))
| dedup source ExecId 
| stats count

Just test if dedup is correct for your case.

r. Ismo

how to combine two sources

troubleshooting

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation