Correlation between 3 sources with 2 IDs

jsp · ‎06-18-2013

I have 3 sourcetypes, and am trying to correlate them based off of 2 IDs. Here is an oversimplified example of the data and what I am trying to achive:

index=books sourcetype=titles
fields: title   title_id    queue_id

index=books sourcetype=authors
fields: author  title_id

index=books sourcetype=locations
fields: location    queue_id

What is the easiest way to get title, author, location, title_id, queue_id in one row of results, based on a search for a title?

alacercogitatus · ‎06-18-2013

index=books sourcetype=titles title=TITLE | join type=outer title_id [search index=books sourcetype=authors ]|join type=outer queue_id [search index=books sourcetype=locations]| stats count by title author location title_id queue_id

Should get you started. join's are a little ineffective, but if you make them static lookups, they would run faster.

Correlation between 3 sources with 2 IDs

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation

Correlation between 3 sources with 2 IDs

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future