Solved: Re: Correlation using OR ?

sbnoobbb · ‎07-15-2013

I have used this search command to display timechart and I need to search between two sourcetype and return the specific location from sourcetype="CurrentWeatherSGTraffic" but it returns me all the location even from sourcetype="ltaTraffic". How can I return location only from sourcetype="CurrentWeatherSGTraffic". (note that sourcetype="CurrentWeatherSGTraffic" has the location extracted and is the same as sourcetype="ltaTraffic")

sourcetype="CurrentWeatherSGTraffic" OR sourcetype="ltaTraffic" | timechart count(eval(current_summary="Partly Cloudy")) as Cloudy , count(eval(Type=="Accident")) as Ancident by Location

Ayn · ‎07-16-2013

If ItaTraffic contains many more locations than the only 6 from CurrentWeatherSGTraffic you care about, my advice would be to create a filter for these using a subsearch.

sourcetype="CurrentWeatherSGTraffic" OR sourcetype=ltaTraffic [search sourcetype="CurrentWeatherSGTraffic" | dedup Location | fields Location] | timechart count(eval(current_summary="Partly Cloudy")) as Cloudy , count(eval(Type=="Accident")) as Accident by Location

This will add the Location values from CurrentWeatherSGTraffic as a filter string in your search.

View solution in original post

Ayn · ‎07-16-2013

If ItaTraffic contains many more locations than the only 6 from CurrentWeatherSGTraffic you care about, my advice would be to create a filter for these using a subsearch.

sourcetype="CurrentWeatherSGTraffic" OR sourcetype=ltaTraffic [search sourcetype="CurrentWeatherSGTraffic" | dedup Location | fields Location] | timechart count(eval(current_summary="Partly Cloudy")) as Cloudy , count(eval(Type=="Accident")) as Accident by Location

This will add the Location values from CurrentWeatherSGTraffic as a filter string in your search.

sbnoobbb · ‎07-16-2013

Thanks you are right ! 😃

Drainy · ‎07-16-2013

Brackets should do the trick;

(sourcetype="CurrentWeatherSGTraffic" Location=*) OR (sourcetype=ltaTraffic NOT Location=*)

But, how will you do a By Location in the timechart if the ltaTraffic events don't have a Location?

sbnoobbb · ‎07-16-2013

I believed all my location that has accidents has changed to NULL. Including the 6 location I needed.

kailun92 · ‎07-16-2013

How can I correct it ? I only need the six location.

Ayn · ‎07-16-2013

This sounds dangerous - if ALL your Itatraffic events have the Location field, by doing "NOT Location=*" you are effectively removing all ItaTraffic events from your search altogether.

sbnoobbb · ‎07-16-2013

I had a null field for ltatraffic Location as all the other location is added into NULL, is there anyway to not show it ?

sbnoobbb · ‎07-16-2013

I needed only the 6 location from sourcetype="CurrentWeatherSGTraffic", which the 6 location is also in ltatraffic. Thanks !

sbnoobbb · ‎07-16-2013

My mistake, sourcetype="CurrentWeatherSGTraffic" contains only 6 Location while sourcetype="ltaTraffic" contains a lot.

Ayn · ‎07-16-2013

If both sourcetypes carry the same values for Location, I don't see what the problem is? Or for that matter how you want it to look instead?

Correlation using OR ?

Developer Spotlight with Paul Stout

Preparing your Splunk Environment for OpenSSL3

Deprecation of Splunk Observability Kubernetes “Classic Navigator” UI starting ...