Splunk Search
Highlighted

Evalute results based on like-fields from two different indexes?

Explorer

I have entries in IndexA that I want to find failures for. However, if IndexB has an entry with the same field and is a 'success' entry then I want to exclude it from the results entirely.

Example:
IndexA
Entry1
- Result: Failure
- ID: 1
Entry2
- Result: Failure
- ID: 2

IndexB
Entry1
- Result: Success
- ID: 1

The search would only return Entry2 from IndexA in this scenario because ID:1 exists in both A and B so Entry1 was excluded. I can't figure out how to get these to properly exclude based on results from IndexB. I've been attempting sub-searches and joins but the results aren't coming through.

Any help would be greatly appreciated.

0 Karma
Highlighted

Re: Evalute results based on like-fields from two different indexes?

SplunkTrust
SplunkTrust

There are tons of ways, depending on the data

(index="A" "Failure")  OR (index="B" "Success")
| rename COMMENT as "limit the records to the fields that we need."
| fields index ID fieldA1 fieldA2 fieldA3 fieldA4

| rename COMMENT as "now mark every record with all the indexes found for that ID"
| eventstats values(index) as foundboth by ID

| rename COMMENT as "and kill all the records that have a B index"
| where index="A" AND mvcount(foundboth)=1

View solution in original post

Highlighted

Re: Evalute results based on like-fields from two different indexes?

SplunkTrust
SplunkTrust

@jl19 - if this solved your issue, then please accept the answer so it will show closed. If not, please feel free to ask for more information here. Thanks!

Highlighted

Re: Evalute results based on like-fields from two different indexes?

Explorer

I had to tweak it a little more for my use case but this got me through the wall I was hitting. Thank you very much for your help! This was great!

Highlighted

Re: Evalute results based on like-fields from two different indexes?

SplunkTrust
SplunkTrust

@jl19 - that's sometimes how it works. A lot of questions in splunk are largely answered by pulling out all the complications already introduced, and doing simple respecifications that start at the record level. Glad it worked out.