Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to correlate fields from two different searches?

SaamerS
New Member
‎05-29-2018 11:01 AM

Thanks in advance.

I have events from two different sources:

The first source (let's call it Source A) has the following fields in its events:
1. Name of job
2. Parent job

Source B:
1. Name of Job (Same as source A, but could be parent or child)
2. runTime

The run-time of the parent jobs can be broken down by the run-times of its child, but the correlation between parent and child can only be found in the first source.

I am stumped by this because the information is from two different sources. Any help will be appreciated!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎05-31-2018 11:25 AM

Assuming you want to chart runtime of one parent job at a time . Try something like this:

source="B" [search source="A" parentJob="ParentJobNameYouWantPieChartFor" | stats count by jobName | table jobName]
| stats sum(runTime) as runTime by jobName

Other assumptions:

  • You can search source A using source="A" and source B using source="B"
  • On source="A", field names are jobNameand parentJob
  • On source="B", field names are jobNameand runTime

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎05-31-2018 11:25 AM

Assuming you want to chart runtime of one parent job at a time . Try something like this:

source="B" [search source="A" parentJob="ParentJobNameYouWantPieChartFor" | stats count by jobName | table jobName]
| stats sum(runTime) as runTime by jobName

Other assumptions:

  • You can search source A using source="A" and source B using source="B"
  • On source="A", field names are jobNameand parentJob
  • On source="B", field names are jobNameand runTime
0 Karma
Reply
Solved! Jump to solution

SaamerS
New Member
‎05-31-2018 06:50 AM

@richgalloway
I would like to create a pie chart of how the children run-times breakdown the parent's run-time

@xpac
One parent, multiple children relationship. Children can't have children jobs.

0 Karma
Reply
Solved! Jump to solution

xpac
SplunkTrust
SplunkTrust
‎05-29-2018 12:05 PM

Is this a single level relation?
Like, do all jobs belong to some parent job, and that's it? Or do some jobs have child jobs, and those have child jobs, and so on?

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎05-29-2018 11:31 AM

What is your question? What is your desired output?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...