Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to chart the results of two joined searches?

jdhux
New Member
‎06-08-2016 12:19 PM

I have two types of log events:

FIELD INITIAL VALUE
Message: 
{
        "FieldName":"Field_A",
        "OrganizationID":1234,
        "FooDocumentId":01,
        "WasAutoPopulated":true,
        "FooAutopopulateInitialValueId":567,
}

FIELD UPDATE
Message: 
{
        "FieldName":"Field_A",
        "OrganizationID":1234,
        "FooDocumentId":01,
        "FooValueChangeId":890,
}

that I am trying to chart out using two joined searches.
FooDocumentId is a primary key, FieldName can have 1 of 10 values.

I want to count the number of times when a field had an initial value event AND an update event.

I have two separate queries to get these counts (that I think work):

FIND INITIAL FIELD VALUE EVENTS
    WasAutoPopulated=true 
    | chart dc(FooAutopopulateInitialValueId) by OrganizationID, FieldName

FIND FIELD UPDATES
    FooValueChangeId 
    | dedup FooValueChangeID 
    | chart COUNT(eval(FooValueChangeID)) by OrganizationID, FieldName

But I've been struggling to get the join right. I've done:

FooValueChangeId 
| dedup FooValueChangeID 
| join type=left FooDocumentId, FooFieldName, FooOrgID
  [search FooAutopopulateInitialValueId WasAutoPopulated=true]
| chart COUNT(eval(FieldName)) by OrganizationID, FieldName

but the DocumentIds for update events don't line up with the DocumentIds for initial value events

I'm looking for output like:

OrganizationID  Field_A Field_B Field_C
1234            2       1       0
0978            4       3       1
etc...

where the numbers under each fieldname are the counts of when that field for that organization had both an initial field value event and a field update event.

Am I miles off base?

Thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Masa
Splunk Employee
Splunk Employee
‎06-08-2016 03:38 PM

How about this;

 FooValueChangeId OR ( FooAutopopulateInitialValueId WasAutoPopulated=true )
 | chart count over OrganizationID by FieldName

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Masa
Splunk Employee
Splunk Employee
‎06-08-2016 03:38 PM

How about this;

 FooValueChangeId OR ( FooAutopopulateInitialValueId WasAutoPopulated=true )
 | chart count over OrganizationID by FieldName
0 Karma
Reply
Solved! Jump to solution

jdhux
New Member
‎06-10-2016 01:04 PM

Saw your reply. There are some logging issues with my data and I'm re-evaluating what I'm using to gauge "success" of any query at this point.

If I'm reading your query right, though, this would get me all changes as well as initial values - then essentially dedup when you combine them in a chart?

Not sure I have that right.

0 Karma
Reply
Solved! Jump to solution

Masa
Splunk Employee
Splunk Employee
‎06-10-2016 04:00 PM

Yes, you're correct.

The chart will do;
For Each OrganizationID, count of events per FieldsName.

0 Karma
Reply
Get Updates on the Splunk Community!

Community Content Calendar, November Edition

Welcome to the November edition of our Community Spotlight! Each month, we dive into the Splunk Community to ...

October Community Champions: A Shoutout to Our Contributors!

As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...