Splunk Search

Compare 2 fields with differents queries

graziaedu
Explorer

I have the follow situation:

queryA returns correlations
AAA
BBB
CCC
DDD

queryB returns correlations 
AAA
CCC
EEE

Expect result is the queryA events with correlations AAA and CCC.

i need a query that compare the field correlation between them and if are equals show me the queryA events.

Thanks

0 Karma

bowesmana
SplunkTrust
SplunkTrust

You can also use the technique

(search1) OR (search2)
| stats values(*) as * by correlation_field
| where (condition)

the condition can then be based on your dataset, e.g. if search1 is sourcetype=A and search2 is sourcetype=B, then condition could be

| where mvcount(sourcetype)=2

because the stats values would have collected both sourcetypes to that field - if there is only one satisfying event correlation, then it is not included.

Another condition might be

| where isnotnull(field_from_search1) AND isnotnull(field_from_search2)

which is basically ensuring that a field from the data set 1 and data set 2 exists in the results.

 

 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

It sounds like the set union command will do the job.  See https://docs.splunk.com/Documentation/Splunk/8.2.2/SearchReference/Set

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...