I'm trying to achieve the following search and hoped others might have some helpful suggestions?
I have two events from a summary index: `type_A` and `type_B`. They share a common field `entity_id` that may or may not match. I want to get all events of `type_B` where there is an event of `type_A` with a matching `entity_id`.
From this result, in `type_B` I have some wildcard fields (a common `wildcard_field` name with different sub-fields, such as `wildcard_field.field1`, `wildcard_field.field2`) and I want to extract the data for those fields into a table for visualisation.
Example of event structure:
{
event: type_A;
entity_id: 123;
}
{
event: type_B;
entity_id: 123; // Matches a type_A event
wildcard_field.field1: val1;
wildcard_field.field2: val2;
}
{
event: type_B;
entity_id: 345; // This one won't have a matching type_A event
wildcard_field.field1: val1;
wildcard_field.field2: val2;
}
Thank you for any suggestions
Your dummy data looks like it might be JSON, but it isn't correctly formatted.
I am not sure what you mean by "wildcard fields"
Here is a runanywhere example with assumptions about your dummy data
| makeresults format=json data="[{
\"event\": \"type_A\",
\"entity_id\": 123
}
,
{
\"event\": \"type_B\",
\"entity_id\": 123,
\"wildcard_field.field1\": \"val1\",
\"wildcard_field.field2\": \"val2\"
}
,
{
\"event\": \"type_B\",
\"entity_id\": 345,
\"wildcard_field.field1\": \"val1\",
\"wildcard_field.field2\": \"val2\"
}]"
``` The lines above set up what I assume represents your dummy data ```
| eventstats values(event) as events by entity_id
| where event=="type_B" AND mvcount(events) == 2
| fields - events
| table wildcard_field.*
Your dummy data looks like it might be JSON, but it isn't correctly formatted.
I am not sure what you mean by "wildcard fields"
Here is a runanywhere example with assumptions about your dummy data
| makeresults format=json data="[{
\"event\": \"type_A\",
\"entity_id\": 123
}
,
{
\"event\": \"type_B\",
\"entity_id\": 123,
\"wildcard_field.field1\": \"val1\",
\"wildcard_field.field2\": \"val2\"
}
,
{
\"event\": \"type_B\",
\"entity_id\": 345,
\"wildcard_field.field1\": \"val1\",
\"wildcard_field.field2\": \"val2\"
}]"
``` The lines above set up what I assume represents your dummy data ```
| eventstats values(event) as events by entity_id
| where event=="type_B" AND mvcount(events) == 2
| fields - events
| table wildcard_field.*
Thanks so much! This is exactly what I was trying to achieve.
Apologies about the wrongly formatted data, but your dummy data is correct. For wildcard, I meant a field name that appears multiple times but can have any number of different subfields (i.e. `wildcard_field.*`) but I wasn't sure if this was the correct terminology, but your answer does work exactly for this field.
Thanks again for your answer. It solves my problem, and I have also learnt a bit more about searching in Splunk, which I really appreciate. 👍