Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I filter out unique values from a shared field across multiple queries using subsearch?

rlough
Path Finder
‎01-28-2015 09:05 AM

Hello,

I currently have two queries which both have the same field. Is there a way, using subsearch, to filter out any values that are not in both queries?

Here's what I currently have, but does not work as expected:

source=src1.log join SHARED_FIELD [search source=src2.log]

Thank you in advance!

Example Data:

src1
SHARED_FIELD=blah
SHARED_FIELD=blah2
SHARED_FIELD=blah3

src2
SHARED_FIELD=blah
SHARED_FIELD=blah3
SHARED_FIELD=blah4

Result from query:

SHARED_FIELD=blah
SHARED_FIELD=blah3
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎01-28-2015 09:17 AM

Try this slightly different approach:

source=src1.log OR source=src2.log | eventstats dc(source) as source_count by SHARED_FIELD | where source_count = 1

View solution in original post

Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎01-28-2015 09:17 AM

Try this slightly different approach:

source=src1.log OR source=src2.log | eventstats dc(source) as source_count by SHARED_FIELD | where source_count = 1
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎01-28-2015 11:30 AM

Use | where source_count = 2 then.

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎01-28-2015 10:27 AM

Sure, any combination of filters is possible. Just make sure you get the parentheses right to apply the filter for source one only to source one.

0 Karma
Reply
Solved! Jump to solution

rlough
Path Finder
‎01-28-2015 10:38 AM

Hey, I just realized that this is only keeping unique values. I actually want to filter those out so that only fields in both sources are recorded. Is there a similar function to dc() that does this?

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎01-28-2015 09:28 AM

That means there is no value for SHARED_FIELD that only exists in one source?

0 Karma
Reply
Solved! Jump to solution

rlough
Path Finder
‎01-28-2015 10:20 AM

Is there any way to add extra tags to the searches?
ie
(source=src1.log TAG1=TAG) OR (source=src2.log "some matching text") | eventstats dc(source) as source_count by SHARED_FIELD | where source_count = 1

0 Karma
Reply
Solved! Jump to solution

rlough
Path Finder
‎01-28-2015 09:31 AM

Oh, I figured it out! I needed to include the index for the search at the beginning of the query, whoops.

Thanks for the help!

0 Karma
Reply
Solved! Jump to solution

rlough
Path Finder
‎01-28-2015 09:24 AM

Nope, doesn't seem to be working. I'm still getting 0 events found.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...