Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Compare three data sources

jarapally
Explorer
‎02-20-2017 06:04 PM

Hello

I have three sources I should compare fields. Lets say index =A index=B and index=C. All the three sources have a unique field D. I should compare values that are in index B and index C to be present in index=A if index A has values other than that of index B & C then I should get a result as unauthorized.

Tags (1)
0 Karma
Reply

niketn
Legend
‎02-20-2017 10:21 PM

If D is the transaction ID to correlate the same event in three indexes then you can try

 index=A OR  index=B OR index=C <Add your Base Search Filter cirteria/s> 
| stats count as EventCount values(index) as MatchedIndexes  min(_time) as MinTime max(_time) as MaxTime by D
| search MatchedIndexes=A AND MatchedIndexes=B AND MatchedIndexes!=C
| eval durationInSeconds=MaxTime-MinTime
| eval _time=MinTime
| table _time D EventCount MatchedIndexes durationInSeconds
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

niketn
Legend
‎02-20-2017 10:23 PM

If field D is always present but may differ in your three indexes you can use D=* in your base search.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

niketn
Legend
‎02-24-2017 08:57 AM

@jarapally Were you able to check the answer?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

niketn
Legend
‎02-20-2017 09:33 PM

Please add more details whether field D is to correlate the events or compare the events. Do you have some sample of data from three indexes?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

jarapally
Explorer
‎02-20-2017 09:45 PM

Compare the values of the field D which is a unique bank transaction.. Index B and Index C have values of field D that are present in Index A. the transaction ID's that are present in both Index B and Index C should be present in Index A if not it is flagged as unauthorized.

Index A -Event
Message sent: {A:xxxxx}{B:3XXXXXN}{C:{xxxx}{D:xxxxxx}}{E: :xxxxxxyyyyyyyy}}"

Index B Event:
02-20-2017 03:34:07 INFO XXXXXXXXX message: {A:AXXX00}{B:XXXXN}{C:{XXXX}{D:xxxxxxxx}}{E:
xxxxxxxxxxxxxxx
-}

Index C Event

"{A:XX0000000000}{B:IXXXXN}{C:{D:xxxxxxx}}{E:
:xxxxxxxxxxxxxxxxxx
}

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...

Splunk Developer Day announcements: AI agents, MCP tools, Forecasting, and Custom ...

Splunk Developer Day was packed with product and platform updates for developers building in the AI ...