Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to correlate fields from two different searches?

SaamerS
New Member
‎05-29-2018 11:01 AM

Thanks in advance.

I have events from two different sources:

The first source (let's call it Source A) has the following fields in its events:
1. Name of job
2. Parent job

Source B:
1. Name of Job (Same as source A, but could be parent or child)
2. runTime

The run-time of the parent jobs can be broken down by the run-times of its child, but the correlation between parent and child can only be found in the first source.

I am stumped by this because the information is from two different sources. Any help will be appreciated!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎05-31-2018 11:25 AM

Assuming you want to chart runtime of one parent job at a time . Try something like this:

source="B" [search source="A" parentJob="ParentJobNameYouWantPieChartFor" | stats count by jobName | table jobName]
| stats sum(runTime) as runTime by jobName

Other assumptions:

  • You can search source A using source="A" and source B using source="B"
  • On source="A", field names are jobNameand parentJob
  • On source="B", field names are jobNameand runTime

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎05-31-2018 11:25 AM

Assuming you want to chart runtime of one parent job at a time . Try something like this:

source="B" [search source="A" parentJob="ParentJobNameYouWantPieChartFor" | stats count by jobName | table jobName]
| stats sum(runTime) as runTime by jobName

Other assumptions:

  • You can search source A using source="A" and source B using source="B"
  • On source="A", field names are jobNameand parentJob
  • On source="B", field names are jobNameand runTime
0 Karma
Reply
Solved! Jump to solution

SaamerS
New Member
‎05-31-2018 06:50 AM

@richgalloway
I would like to create a pie chart of how the children run-times breakdown the parent's run-time

@xpac
One parent, multiple children relationship. Children can't have children jobs.

0 Karma
Reply
Solved! Jump to solution

xpac
SplunkTrust
SplunkTrust
‎05-29-2018 12:05 PM

Is this a single level relation?
Like, do all jobs belong to some parent job, and that's it? Or do some jobs have child jobs, and those have child jobs, and so on?

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎05-29-2018 11:31 AM

What is your question? What is your desired output?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Learn Splunk Insider Insights, Do More With Gen AI, & Find 20+ New Use Cases You Can ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Buttercup Games: Further Dashboarding Techniques (Part 7)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...
Top