Splunk Search

Can you help me find matching fields from 2 out of 3 sources?

Task1906
Explorer

Hello, I hope someone can help.

I am attempting to do a subsearch that I am having difficulty with and hope someone here can assist.

I would like any fields in SourceB or SourceC that match SourceA, to be returned

I'd previously had the following syntax:
SourceA | table field1 | search [ | search SourceB table field1 ] | search [ |search SourceC field1 | table src]

but now, I need it to be interpreded more like this:
SourceA field1 (SourceB field1 or SourceC field1)

Tags (2)
0 Karma
1 Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust

@Task1906

If you want to filter events from SourceA on the basis of field1 value from SourceB and SourceC then try this.

SourceA [ search SourceB | dedup field1 | fields field1 ] OR [ search SourceC | dedup field1 | fields field1] | join field1 [ search SourceC | dedup field1 | fields field1 src ]

Thanks

View solution in original post

Task1906
Explorer

kamlesh_vaghela, thanks for the input, thanks to you I have it working. But SourceA is not needed where it is. #2 SourceC is listed twice, and the 2nd time should be SourceA if it is removed from the beginning.
The working command looks like this:
[ search SourceB | dedup field1
| fields field1]
OR
[ search SourceB | dedup field1 | fields field1]
| join field1
[ search SourceA | dedup field1 | fields field1]
| table field1 | dedup field1

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@Task1906

If you want to filter events from SourceA on the basis of field1 value from SourceB and SourceC then try this.

SourceA [ search SourceB | dedup field1 | fields field1 ] OR [ search SourceC | dedup field1 | fields field1] | join field1 [ search SourceC | dedup field1 | fields field1 src ]

Thanks

View solution in original post

Vijeta
Influencer

you can use an inner join between source B/C and source A on field that needs to be matched.

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!