Combine results from 2 searches with a common fiel...

lohit · ‎04-20-2015

Hi all ,

i am trying to merge my results from 2 searches running over different indexes that have a common field "url".

index ="abc"| join url [search index="xyz" | eval url=uri | fields + url, a,b,c ]

i have used the eval command because in index "xyz" field name is uri but the values are same. What i am looking of is

To merge these 2 results and output uncommon fields from index "abc" and index "xyz along with "url".

Please help

MuS · ‎04-20-2015

Hi lohit,

you should be able to use something like this:

index=abc OR index=xyz | eval url=coalesce(url, uri) | stats count by url, a, b, c

The eval coalesce will take care that you have a url field for each event fron any index.

Also take a look at this answer for more details http://answers.splunk.com/answers/129424/how-to-compare-fields-over-multiple-sourcetypes-without-joi...

Hope this helps ...

cheers, MuS

lohit · ‎04-20-2015

Hi MuS ,

i have match events containing url from index "xyz" which have same url in index "abc" and not from either of them.

MuS · ‎04-20-2015

Okay, then you should be able to simply use a index=abc OR index=xyz | stats by url if you have this field in both indexes....but you wrote in your question that you have not, that's why you used the eval.....

lohit · ‎04-20-2015

ok let me explain again.

in index "abc" i have field url, x,y
in index "xyz" i have field uri,a,b
now this uri and url are same fields across indexes. my concern is that how can i get something like this without join in table

col1 col2 col3 col4 col5
url(both index) x y a b

MuS · ‎04-20-2015

Understood, try my first search and to add a b x y use streamstats like in the answer I provided the link 😉 Or do it only by using streamstats .... like

 index=abc OR index=xyz | streamstats values(a) AS a, values(b) AS b ....

lohit · ‎04-20-2015

Ok i have written the below query

how can i better write this query ?

MuS · ‎04-20-2015

try this:

index="abc" OR index=xyz |eval agt=cs_us | eval url=uri | stats values(a) AS a,values(s) AS s, values(agt) AS atg by url

lohit · ‎04-20-2015

it is not returning any results !!

MuS · ‎04-20-2015

Since I don't have any of your events, I cannot test it. But I did show your the direction to go. Read the linked answer and use the provided searches to try it yourself. Afterwards adopt the searches to your real world events.

lohit · ‎04-20-2015

ok thanks MuS

lohit · ‎04-22-2015

MuS, if i run your last suggestion,it is
giving fields from only one index.

MuS · ‎04-22-2015

I just did a copy paste of your provided search where you asked how can i better write this query ? yesterday

lohit · ‎04-22-2015

using join , my query is very slow since both the index is very noisy. Any help from your side ?

lohit · ‎04-22-2015

Yes it is quite strange. my join query is working fine but with stats only it is returning fields from one index.

lohit · ‎04-22-2015

index=abc OR index=xyz| eval url=uri | stats values(a),values(x) by url

values(a) is from index=abc and is coming
values(x) is from index=xyz and is not coming.

lohit · ‎04-20-2015

Also in the output i have to display fields of both indexes. i have done it using join but it very slow. any faster way of doing it.

lohit · ‎04-20-2015

solved it
myself

Combine results from 2 searches with a common field

Celebrating Fast Lane: 2025 Authorized Learning Partner of the Year

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Are you a member of the Splunk Community?

Combine results from 2 searches with a common field

Celebrating Fast Lane: 2025 Authorized Learning Partner of the Year

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency