Splunk Search

Compare data in two different sourcetypes

Path Finder

Hi,

I have two different sourcetypes src_a, src_b. There are some "transaction_id"'s in src_a, and "transaction_no" in src_b. Both are the same. Both sourcetypes belong to the same index.

I have to compare transaction_id in src_a, (transaction_no in src_b)whose status=complete in the src_b.

Please help.

Tags (1)
0 Karma
1 Solution

Ultra Champion

Ok, you probably need to clarify what type of comparison you want to do;

  • you want to find all transaction_id in A whose corresponding transaction_no in B has status 'complete'
  • you want to find all transaction_id in A who do NOT have a 'complete' status in B
  • you want to find some ratio between the two
  • your want to build (splunk) transactions to locigcally group events from A & B

Here are some idea anyway;

Create a common field between the sources and create a transaction based on that.

source=A OR source=B | eval transX = coalesce(transaction_id, transaction_no) | transaction transX 

Find events in A that do not have a 'complete' in B

source=A NOT [search source=B status="complete" | rename transaction_no AS transaction_id | fields + transaction_id]

hope this helps,

K

View solution in original post

0 Karma

Revered Legend

Extending answer by Kristian, if you need all the fields from src_a and src_b for a transaction whose status=complete in src_b, you can use join.

sourcetype=src_a | join transactionId [search sourcetype=src_b status="complete" | rename transaction_no as transaction_id]

if you just want fields from src_a, this is little faster way.

sourcetype=src_a | join transactionId [search sourcetype=src_b status="complete" | stats count by transaction_no | fields - count| rename transaction_no as transaction_id]

Path Finder

Thank u somesoni for ur time!!

0 Karma

Ultra Champion

Ok, you probably need to clarify what type of comparison you want to do;

  • you want to find all transaction_id in A whose corresponding transaction_no in B has status 'complete'
  • you want to find all transaction_id in A who do NOT have a 'complete' status in B
  • you want to find some ratio between the two
  • your want to build (splunk) transactions to locigcally group events from A & B

Here are some idea anyway;

Create a common field between the sources and create a transaction based on that.

source=A OR source=B | eval transX = coalesce(transaction_id, transaction_no) | transaction transX 

Find events in A that do not have a 'complete' in B

source=A NOT [search source=B status="complete" | rename transaction_no AS transaction_id | fields + transaction_id]

hope this helps,

K

View solution in original post

0 Karma

Path Finder

Thnx kolb & somesoni !!

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes and swag!