Re: How to add two different soucetype

sushil_sh · ‎07-29-2021

Hi,

We are looking to join two different soucretype which is given below

1- first source type for abc(In this soucetype it contains all server list)

sourcetype=abc AlertName IN ("Health Service Heartbeat Failure", "Unexpected shutdown Event ID XXXX") | sort _time | table ServerName, AlertName

,AlertTriggered | dedup ServerName, AlertName

,AlertTriggered

2- Second source type for xyz(In this source type list contain only selective server i.e suport)

sourcetype=xyz StatusValue IN(blue) Company IN("Support") | sort _time desc | dedup ManagementGroup , ServerName , _time | table ManagementGroup, ServerName, StatusValue, _time

__________________________________________________________-

we looking for combine syntax on which we view data like (serverName(support), Event ID includes heartbite Failure, Start time of event, End time of event).

I am looking for your response

Thanks in advance

_

jhanvidattani · ‎07-31-2021

@sushil_sh
Using join command between both queries would look like this:

sourcetype="abc" <further_query> | join ServerName [search sourcetype="xyz" <further_query>]

Basically, mentioned the field/s that is common for both searches. Further information about various options or behaviour of join command is available: join

If you find my solution/debugging steps fruitful, an upvote would be appreciated.

sushil_sh · ‎07-29-2021

Hi All,

Please response from my query, waiting for your response

How to add two different soucetype

chart

eval

stats

Splunk Observability Synthetic Monitoring - Resolved Incident on Detector Alerts

Video | Tom’s Smartness Journey Continues

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?