Splunk Search

How do I run these two searches at the same time and compare fields extracted with rex for similarities?

Path Finder

Hello all,

I have two searches (shown below) where in the first, I extract two fields Code and Serial, and in the second, I search for specific events that contain the problem number PMN 23, and the field extracted is called PMN (1st field extracted from 2nd search) that ranges across multiple reporting serial (2nd field extracted from 2nd search) , I would like to compare the Serial and reporting serial fields from the two searches for similarity, and then keep only the ones that match and put them in a table/stat (whatever works really). However, I'm having problems running the two searches concurrently and comparing. Is there any way that I can do this?
Thank you

Search 1

| search index=* sourcetype=CodeLevels "Code Levels" 
| rex  "(?<Code>.*),(?<Serial>.*)"

Search 2

|search index=* sourcetype=syslog "PMN 23"
| rex "(?<PMN>.*),(?<reporting serial>.*)"
0 Karma
1 Solution

Legend

You could do this

index=* (sourcetype=CodeLevels "Code Levels") OR (sourcetype=syslog "PMN 23")
| rex  "(?<Code>.*),(?<Serial>.*)"
| eval PMN=if(sourcetype=="syslog",Code,null())
| eval Code=if(sourcetype=="CodeLevels",Code,null())
| stats count values(Code) as Code values(PMN) as PMN by Serial
| where count > 1 AND isnotnull(Code) AND isnotnull(PMN)

That's just one search, so it is more efficient too. It is not testing for "similar" value of Serial and "reporting serial", but an exact match.
What would you consider "similar?"

View solution in original post

Legend

You could do this

index=* (sourcetype=CodeLevels "Code Levels") OR (sourcetype=syslog "PMN 23")
| rex  "(?<Code>.*),(?<Serial>.*)"
| eval PMN=if(sourcetype=="syslog",Code,null())
| eval Code=if(sourcetype=="CodeLevels",Code,null())
| stats count values(Code) as Code values(PMN) as PMN by Serial
| where count > 1 AND isnotnull(Code) AND isnotnull(PMN)

That's just one search, so it is more efficient too. It is not testing for "similar" value of Serial and "reporting serial", but an exact match.
What would you consider "similar?"

View solution in original post

Path Finder

Sorry should have been more clear, by similar I mean exact match, and thank you!

0 Karma

Builder
index=blabla | my_search_request OR [index=blabla2 | my_search_request_2]
0 Karma

Legend

Can you explain this answer? I don't understand what my_search_request would look like, so I am unclear how this solution would work. Thanks!

0 Karma

Builder

I thought that raby1996 only needed to know how to run two searches at the same time. Please excuse me if anyway I caused any confusion. I see that your answer used also the Boolean operator OR, but your answer is very complete definitely.

0 Karma