Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to Match event between two Index and get desired value

ashiknew007
New Member
‎06-10-2019 02:54 AM

Hi,

I am trying to match events between two index: Index A & Index B.
Index A have 3 column: date-time, User's Cell NO, user's account type and the agent name who modify that user's information.
Index B have 3 column: date-time, User's Cell NO, user's account type and the agent name who modify that user's information.

Both the data is different sources and different values, date-time.

My expectation is to match the user's cell no between two index based on below criteria:
1)_ If any "cell no" exist in "Index A" will match with "Index B" only 10min before of the Index A time. I tried below command which is not as expected result:_

index=A | join CellNO type=outer usetime=true earlier=true [search index=B earliest=-10m latest=now
| fields _time,CellNo,Agent,TIME-B]
| fillnull value="Not found"
| table _time(A),CellNo,TIME-B,Agent

2) If any CellNo exist in Index-A but not exist in Index-B (just 10min before of the Index-A time), then i want to see the "agent name" from Index-A

Can anyone please help on this to share the commands.

0 Karma
Reply

ashiknew007
New Member
‎06-10-2019 07:22 PM

Hi gcusello,
many thanks for your feedback. here is feedback for your query:
1) Yes, correct. It is "CellNo"
2) Actually I want to mean here the time of Index-A with this "_time(A)"
3) with the word TIME-A & TIME-B, actually I mean here the value from Index-A and Index-B respectively.
I tried with "join type=inner" which shows me the value from all time and not only the 10m before data.
I will try ur command and get back to you.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-10-2019 06:55 AM

Hi ashiknew007,
Only few adding information:

  • "CellNO" is a writing error, the correct one is CellNo, correct? Fieldnames are case sensitive!
  • What's "_time(A)", there isn't any field with this name?
  • if you use type=outher in Join, the most values haven't TIME-B field, is it correct?

Anyway, try something like this:

index=A | join CellNo type=outer usetime=true earlier=true [search index=B earliest=-10m latest=now
| rename Agent AS AgentB
| fields _time,CellNo,AgentB,TIME-B]
| eval Agent=coalesce(AgentB,Agent)
| fillnull value="Not found" 
| table _time, CellNo, TIME-B, Agent

Bye.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...