Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to combine the results of my different searches?

nschacht123
New Member
‎01-30-2017 01:01 PM

How do I merge search results for this problem:

Search 1 contains Field A, Search 2 contains Field B. Want to merge searches by host, time, and Field A = Field B

What I have so far is:

index =index value sourcetype = sourcetype value host=host value "Search 1" OR "Search 2" |transaction host startswith="Search1" endswith="Search2" maxspan=3s

Gets me sorta close, but I still have a mismatch with Field A and Field B.

I need correlate the results of the searches by host, time, Field A and Field B matching.

Any ideas?

0 Karma
Reply

lguinn2
Legend
‎01-30-2017 01:50 PM

Try this:

 index=myIndex sourcetype=aSourcetype host=xyzHost "Search1" OR "Search2"
| newField = coalesce(FieldA,FieldB)
| transaction host newField startswith="Search1" endswith="Search2" maxspan=3s

You might not need the startswith="Search1" endswith="Search2"

0 Karma
Reply

nschacht123
New Member
‎01-31-2017 06:26 AM

Not what I was looking for.

0 Karma
Reply

lguinn2
Legend
‎01-30-2017 01:48 PM

Sorry, your syntax is very confusing to me. Do you mean:

index=myIndex sourcetype=aSourcetype host=xyzHost "Search1" OR "Search2"
| transaction host startswith="Search1" endswith="Search2" maxspan=3s

Also, are there many results for "Search1" and "Search2" for each host?

0 Karma
Reply

nschacht123
New Member
‎01-30-2017 02:50 PM

Yes that is the correct syntax. Although I don't know if I'm on the right trail. There won't be too many results for each search.

Basically I have logs from a device. I'm trying to merge searches from two different sections of the logs. Search 1 shows a trigger for a channel. Search 2 shows the result of that trigger. There is a field in Search 1 (FieldA) that has the channel ID. Search 2 has a field (FieldB) that has the channel ID. Since host is the same for both searches, using the transaction command combines the logs by host, but Field A and Field B are all mixed up.

I have the 2 searches:

index=myIndex sourcetype=asourcetype host=xyzHost "Search 1"
Result contains Field A which is equal to A-Z
index=myIndex sourcetype=asourcetype host=xyzHost "Search 2"
Result contains Field B which is equal to A-Z

I want to merge to one transaction. I have no problem with host since it is the same field, but how do I handle Field A and Field B?

I want the combined search to show me logs where the hosts are the same and Field A and Field B match.

Does that make any sense???

0 Karma
Reply
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...