Re: How do you correlate one field between two sou...

luke222010 · ‎01-09-2019

I have:

sourcetype_a` and`sourcetype_b

Where one field message_ID exists in both source types.

I want to loop through each message_ID in sourcetype_a and look for it in sourcetype_b, then if it finds it, look for the value of field: result in sourcetype_b, and print out all where result=success.

Can anyone help explain how this can be achieved, please?

bhavikbhalodia · ‎01-11-2019

@luke222010,

You can try below query :

Thanks,
Bhavik

gcusello · ‎01-09-2019

Hi luke222010,
try something like this

index=my_index sourcetype=sourcetype_b [ search index=my_index sourcetype=sourcetype_a | fields message_ID ] result=access
| table _time message_ID result

in other words you use the message_IDs resulting from subsearch to filter the main search, then you can display results in a table (I displayed only _time, message_ID and result fields but you can display also other fields from the main search).

Bye.
Giuseppe

renjith_nair · ‎01-09-2019

@luke222010,

Give this a try

(sourcetype="sourcetype_a" OR sourcetype="sourcetype_b")
|eventstats dc(sourcetype) as c by message_ID |where c> 1 AND result="success"

---
What goes around comes around. If it helps, hit it with Karma 🙂

How do you correlate one field between two sources, and then if they match, find value from another field from the second source type?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Join the Conversation