Solved: how to combine two sources

selvam_sekar · ‎12-27-2023

Hi,

I have below spl query and trying to combine them together. please could you suggest?

Expected count is 13919

spl 1:

index=abc sourcetype=123 source="allocation" TERM("1=1") OR TERM("2=2") TERM("3=C") Sender=aaa
TERM("4=region") | dedup ExecId | stats count

## Results Count = 4698

spl 2:

index=abc sourcetype=123 source=*block* TERM("1=1") OR TERM("2=2") | dedup ExecId | stats count

## Results Count = 9221

isoutamo · ‎12-27-2023

Hi

You should try something like this.

index=abc sourcetype=123 (source="allocation" TERM("1=1") OR TERM("2=2") TERM("3=C") Sender=aaa TERM("4=region")) 
OR 
( source=*block* TERM("1=1") OR TERM("2=2"))
| dedup source ExecId 
| stats count

Just test if dedup is correct for your case.

r. Ismo

View solution in original post

isoutamo · ‎12-27-2023

Hi

You should try something like this.

index=abc sourcetype=123 (source="allocation" TERM("1=1") OR TERM("2=2") TERM("3=C") Sender=aaa TERM("4=region")) 
OR 
( source=*block* TERM("1=1") OR TERM("2=2"))
| dedup source ExecId 
| stats count

Just test if dedup is correct for your case.

r. Ismo

how to combine two sources

troubleshooting

New Year, New Changes for Splunk Certifications

Stay Connected: Your Guide to January Tech Talks, Office Hours, and Webinars!

[Puzzles] Solve, Learn, Repeat: Reprocessing XML into Fixed-Length Events

Join the Conversation

how to combine two sources

troubleshooting

New Year, New Changes for Splunk Certifications

Stay Connected: Your Guide to January Tech Talks, Office Hours, and Webinars!

[Puzzles] Solve, Learn, Repeat: Reprocessing XML into Fixed-Length Events