Splunk Search

Evalute results based on like-fields from two different indexes?

jl19
Explorer

I have entries in IndexA that I want to find failures for. However, if IndexB has an entry with the same field and is a 'success' entry then I want to exclude it from the results entirely.

Example:
IndexA
Entry1
- Result: Failure
- ID: 1
Entry2
- Result: Failure
- ID: 2

IndexB
Entry1
- Result: Success
- ID: 1

The search would only return Entry2 from IndexA in this scenario because ID:1 exists in both A and B so Entry1 was excluded. I can't figure out how to get these to properly exclude based on results from IndexB. I've been attempting sub-searches and joins but the results aren't coming through.

Any help would be greatly appreciated.

0 Karma
1 Solution

DalJeanis
SplunkTrust
SplunkTrust

There are tons of ways, depending on the data

(index="A" "Failure")  OR (index="B" "Success")
| rename COMMENT as "limit the records to the fields that we need."
| fields index ID fieldA1 fieldA2 fieldA3 fieldA4

| rename COMMENT as "now mark every record with all the indexes found for that ID"
| eventstats values(index) as foundboth by ID

| rename COMMENT as "and kill all the records that have a B index"
| where index="A" AND mvcount(foundboth)=1

View solution in original post

DalJeanis
SplunkTrust
SplunkTrust

There are tons of ways, depending on the data

(index="A" "Failure")  OR (index="B" "Success")
| rename COMMENT as "limit the records to the fields that we need."
| fields index ID fieldA1 fieldA2 fieldA3 fieldA4

| rename COMMENT as "now mark every record with all the indexes found for that ID"
| eventstats values(index) as foundboth by ID

| rename COMMENT as "and kill all the records that have a B index"
| where index="A" AND mvcount(foundboth)=1

View solution in original post

DalJeanis
SplunkTrust
SplunkTrust

@jl19 - if this solved your issue, then please accept the answer so it will show closed. If not, please feel free to ask for more information here. Thanks!

jl19
Explorer

I had to tweak it a little more for my use case but this got me through the wall I was hitting. Thank you very much for your help! This was great!

DalJeanis
SplunkTrust
SplunkTrust

@jl19 - that's sometimes how it works. A lot of questions in splunk are largely answered by pulling out all the complications already introduced, and doing simple respecifications that start at the record level. Glad it worked out.

.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!