Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to correlate fields from two different searches?

SaamerS
New Member
‎05-29-2018 11:01 AM

Thanks in advance.

I have events from two different sources:

The first source (let's call it Source A) has the following fields in its events:
1. Name of job
2. Parent job

Source B:
1. Name of Job (Same as source A, but could be parent or child)
2. runTime

The run-time of the parent jobs can be broken down by the run-times of its child, but the correlation between parent and child can only be found in the first source.

I am stumped by this because the information is from two different sources. Any help will be appreciated!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎05-31-2018 11:25 AM

Assuming you want to chart runtime of one parent job at a time . Try something like this:

source="B" [search source="A" parentJob="ParentJobNameYouWantPieChartFor" | stats count by jobName | table jobName]
| stats sum(runTime) as runTime by jobName

Other assumptions:

  • You can search source A using source="A" and source B using source="B"
  • On source="A", field names are jobNameand parentJob
  • On source="B", field names are jobNameand runTime

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎05-31-2018 11:25 AM

Assuming you want to chart runtime of one parent job at a time . Try something like this:

source="B" [search source="A" parentJob="ParentJobNameYouWantPieChartFor" | stats count by jobName | table jobName]
| stats sum(runTime) as runTime by jobName

Other assumptions:

  • You can search source A using source="A" and source B using source="B"
  • On source="A", field names are jobNameand parentJob
  • On source="B", field names are jobNameand runTime
0 Karma
Reply
Solved! Jump to solution

SaamerS
New Member
‎05-31-2018 06:50 AM

@richgalloway
I would like to create a pie chart of how the children run-times breakdown the parent's run-time

@xpac
One parent, multiple children relationship. Children can't have children jobs.

0 Karma
Reply
Solved! Jump to solution

xpac
SplunkTrust
SplunkTrust
‎05-29-2018 12:05 PM

Is this a single level relation?
Like, do all jobs belong to some parent job, and that's it? Or do some jobs have child jobs, and those have child jobs, and so on?

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎05-29-2018 11:31 AM

What is your question? What is your desired output?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 2)

Welcome to the "Splunk Classroom Chronicles" series, created to help curious, career-minded learners get ...

Index This | I am a number but I am countless. What am I?

January 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  Happy New Year! We’re ...

What’s New in Splunk Enterprise 9.4: Tools for Digital Resilience

PLATFORM TECH TALKS What’s New in Splunk Enterprise 9.4: Tools for Digital Resilience Thursday, February 27, ...