Splunk Search

Compare three sourcetypes

Path Finder

Hi ,

I have three sourcetype. It's a complicated question. I'll try my best to let you understand what I mean.

sourcetypeA

id X Y Z


sourcetypeB

id keyword


sourcetypeC

X W V


W+V may be equal 'Y' or 'Z'.It depends on the length. X isn't the only value.

I want to find the keyword of B is 'success', but the result doesn't exist in sourcetype C, and display 'id'.

search A+B

...sourcetype="A" |eval Check_Y=len(Y)|eval Check_Z=len(Z)|where Check_Y>10 OR Check_Z>10 | search [search sourcetype="B" "success" |fields id]

But it always show 'The specified search is too large....'.

In addition to this, how could I get the id?

I ever thought about diff, but 'The diff command should not be used for events that have more than 500 lines, because the results may not be accurate.'.

And how could I just let the results of subsearch use the "value" to outsearch, rather than field name and value?

I thought I can't use 'Y=XXX' or 'Z=XXX' on sourcetype C.

Or any other command can help me to achieve my goals?

I am very grateful to have you help. Thanks a lot. 😃

1 Solution

SplunkTrust
SplunkTrust

assuming id, V, W, X, Y, Z, and keyword are all being extracted as fields.

Lets start with stitching together A and B:

sourcetype=A OR sourcetype=B | stats first(Y) as Y first(Z) as Z first(keyword) as keyword by id | search keyword="success"

That will stitch together sourcetype A and B and allow you to find just the pairs where keyword='success'.

Then you could tack on the results for sourcetype C. (Quite possibly someone can find a way to do this without the append command, possibly using the transaction command's more arcane 'transitive' mode.)

sourcetype=A OR sourcetype=B | stats first(Y) as Y first(Z) as Z first(keyword) as keyword by id | search keyword="success" | append [search sourcetype=C ] | stats first(Y) as Y first(Z) as Z first(V) as V first(W) as W by X

and now you'll have one row with the full stitched together combination of V, W, X, Y Z, only for the rows where the keyword in B was 'success'

And in general, whenever you want the subsearch results to use the "value" instead of field="value", you just tack on a rename to your subsearch like so:

| rename id to search

the subsearch logic is special cased so that fields called search or query, it will just use the values and ignore the field names.

View solution in original post

SplunkTrust
SplunkTrust

assuming id, V, W, X, Y, Z, and keyword are all being extracted as fields.

Lets start with stitching together A and B:

sourcetype=A OR sourcetype=B | stats first(Y) as Y first(Z) as Z first(keyword) as keyword by id | search keyword="success"

That will stitch together sourcetype A and B and allow you to find just the pairs where keyword='success'.

Then you could tack on the results for sourcetype C. (Quite possibly someone can find a way to do this without the append command, possibly using the transaction command's more arcane 'transitive' mode.)

sourcetype=A OR sourcetype=B | stats first(Y) as Y first(Z) as Z first(keyword) as keyword by id | search keyword="success" | append [search sourcetype=C ] | stats first(Y) as Y first(Z) as Z first(V) as V first(W) as W by X

and now you'll have one row with the full stitched together combination of V, W, X, Y Z, only for the rows where the keyword in B was 'success'

And in general, whenever you want the subsearch results to use the "value" instead of field="value", you just tack on a rename to your subsearch like so:

| rename id to search

the subsearch logic is special cased so that fields called search or query, it will just use the values and ignore the field names.

View solution in original post