How to add two different soucetype - Splunk Community

Splunk Search

Hi,

We are looking to join two different soucretype which is given below

1- first source type for abc(In this soucetype it contains all server list)

sourcetype=abc AlertName IN ("Health Service Heartbeat Failure", "Unexpected shutdown Event ID XXXX") | sort _time | table ServerName, AlertName

,AlertTriggered | dedup ServerName, AlertName

,AlertTriggered

2- Second source type for xyz(In this source type list contain only selective server i.e suport)

sourcetype=xyz StatusValue IN(blue) Company IN("Support") | sort _time desc | dedup ManagementGroup , ServerName , _time | table ManagementGroup, ServerName, StatusValue, _time

__________________________________________________________-

we looking for combine syntax on which we view data like (serverName(support), Event ID includes heartbite Failure, Start time of event, End time of event).

I am looking for your response

Thanks in advance

_

@sushil_sh
Using join command between both queries would look like this:

sourcetype="abc" <further_query> | join ServerName [search sourcetype="xyz" <further_query>]

Basically, mentioned the field/s that is common for both searches. Further information about various options or behaviour of join command is available: join

If you find my solution/debugging steps fruitful, an upvote would be appreciated.

Hi All,

Please response from my query, waiting for your response

Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now! In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...