Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Combining 2 different search results based on fields

selim
Path Finder
‎05-09-2013 11:52 AM

Hello,

I have 2 different searches for 2 different sourcetypes with field extractions. I'm doing the field extractions for search1 for xml data.

search1:

sourcetype=xmlapp | xmlkv

search2:

sourcetype=app2

I'd like to combine searches in such a way that when field2 from search2 does NOT match any existing field1 from search1, I need to create an alert. Any help is greatly appreciated.

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Ayn
Legend
‎05-09-2013 12:00 PM

I believe something like this should work:

sourcetype=xmlapp | xmlkv | search NOT [search sourcetype=app2 | rename field2 as field1 | fields field1]

View solution in original post

Reply
Solved! Jump to solution
Solution

Ayn
Legend
‎05-09-2013 12:00 PM

I believe something like this should work:

sourcetype=xmlapp | xmlkv | search NOT [search sourcetype=app2 | rename field2 as field1 | fields field1]
Reply
Solved! Jump to solution

Ayn
Legend
‎05-05-2014 02:11 PM

Hi @pramit46, I renamed it because the requirement was that values from field2 in the subsearch would be matched to values of field1 in the main search.

0 Karma
Reply
Solved! Jump to solution

pramit46
Contributor
‎05-01-2014 11:19 PM

@Ayn, Can you please explain why did you rename the field2?
I also have the same question as that in Selim's comment. Any help would be appreciated.

0 Karma
Reply
Solved! Jump to solution

selim
Path Finder
‎05-15-2013 03:29 AM

Thank you. That works for finding the events. So, how do display more fields (e.g. field1, field2, field3 from search#1 and field4, field5 from search#2) to the results so that I can display them in a table (or chart)? I tried fields command but was not successful.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...