Re: How to add two different soucetype

sushil_sh · ‎07-29-2021

Hi,

We are looking to join two different soucretype which is given below

1- first source type for abc(In this soucetype it contains all server list)

sourcetype=abc AlertName IN ("Health Service Heartbeat Failure", "Unexpected shutdown Event ID XXXX") | sort _time | table ServerName, AlertName

,AlertTriggered | dedup ServerName, AlertName

,AlertTriggered

2- Second source type for xyz(In this source type list contain only selective server i.e suport)

sourcetype=xyz StatusValue IN(blue) Company IN("Support") | sort _time desc | dedup ManagementGroup , ServerName , _time | table ManagementGroup, ServerName, StatusValue, _time

__________________________________________________________-

we looking for combine syntax on which we view data like (serverName(support), Event ID includes heartbite Failure, Start time of event, End time of event).

I am looking for your response

Thanks in advance

_

jhanvidattani · ‎07-31-2021

@sushil_sh
Using join command between both queries would look like this:

sourcetype="abc" <further_query> | join ServerName [search sourcetype="xyz" <further_query>]

Basically, mentioned the field/s that is common for both searches. Further information about various options or behaviour of join command is available: join

If you find my solution/debugging steps fruitful, an upvote would be appreciated.

sushil_sh · ‎07-29-2021

Hi All,

Please response from my query, waiting for your response

How to add two different soucetype

chart

eval

stats

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?