Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I filter out unique values from a shared field across multiple queries using subsearch?

rlough
Path Finder
‎01-28-2015 09:05 AM

Hello,

I currently have two queries which both have the same field. Is there a way, using subsearch, to filter out any values that are not in both queries?

Here's what I currently have, but does not work as expected:

source=src1.log join SHARED_FIELD [search source=src2.log]

Thank you in advance!

Example Data:

src1
SHARED_FIELD=blah
SHARED_FIELD=blah2
SHARED_FIELD=blah3

src2
SHARED_FIELD=blah
SHARED_FIELD=blah3
SHARED_FIELD=blah4

Result from query:

SHARED_FIELD=blah
SHARED_FIELD=blah3
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎01-28-2015 09:17 AM

Try this slightly different approach:

source=src1.log OR source=src2.log | eventstats dc(source) as source_count by SHARED_FIELD | where source_count = 1

View solution in original post

Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎01-28-2015 09:17 AM

Try this slightly different approach:

source=src1.log OR source=src2.log | eventstats dc(source) as source_count by SHARED_FIELD | where source_count = 1
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎01-28-2015 11:30 AM

Use | where source_count = 2 then.

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎01-28-2015 10:27 AM

Sure, any combination of filters is possible. Just make sure you get the parentheses right to apply the filter for source one only to source one.

0 Karma
Reply
Solved! Jump to solution

rlough
Path Finder
‎01-28-2015 10:38 AM

Hey, I just realized that this is only keeping unique values. I actually want to filter those out so that only fields in both sources are recorded. Is there a similar function to dc() that does this?

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎01-28-2015 09:28 AM

That means there is no value for SHARED_FIELD that only exists in one source?

0 Karma
Reply
Solved! Jump to solution

rlough
Path Finder
‎01-28-2015 10:20 AM

Is there any way to add extra tags to the searches?
ie
(source=src1.log TAG1=TAG) OR (source=src2.log "some matching text") | eventstats dc(source) as source_count by SHARED_FIELD | where source_count = 1

0 Karma
Reply
Solved! Jump to solution

rlough
Path Finder
‎01-28-2015 09:31 AM

Oh, I figured it out! I needed to include the index for the search at the beginning of the query, whoops.

Thanks for the help!

0 Karma
Reply
Solved! Jump to solution

rlough
Path Finder
‎01-28-2015 09:24 AM

Nope, doesn't seem to be working. I'm still getting 0 events found.

0 Karma
Reply
Get Updates on the Splunk Community!

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...