Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to count the occurrences based off two matching fields?

innoce
Path Finder
‎05-30-2023 09:02 AM

Hi,

I have two searches,..

First search which will run once per day lookback -24h@h , latest=now cron: 5 4 * * * and writes the results to summary index. 

my base search
...
...
| collect index=summary source="base generator"


Second search will also run once per day lookback -24h@h and latest=now cron: 5 6 * * *

my base search
|join type=left field1 field 2
[ search index=summary source="*base generator*"..... ]

Now I have the results as expected something line this

Field1                 field2                     _time
UserA                 list of names       30/5/2023 9:30
UserA                 list of names       30/5/2023 9:40
(both field1 and field2 are same as in first row but different time values)

In this case, I need a consolidated event count ... Say for above scenario, my count of events should be 2 based on the field1 and field2 irrespective of the _time field..

I tried, but no luck.. any help would be much appreciated.. thanks in advance!

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-30-2023 09:20 AM

It is a bit confusing which results are coming from where. For example, are the results at 9:30 and 9:40 both coming from your base search of the second search?

What "additional" data are you expecting to retrieve from the join?

Note that join adds data fields to existing events, it does not add events. If you want to add events (from the summary index) use the append command instead of join.

0 Karma
Reply

innoce
Path Finder
‎05-31-2023 02:19 AM

@ITWhisperer 
Both base searches of first and second are same.. The reason to right the results of first one to summary is to get the historical events..

Now for the 2nd one, using the same base search and correlating it with summary using a join, I'm trying to retrieve the list of new events which weren't historical (not those from summary)...

Now I got the results like this...

Field1                 field2                     _time
UserA                 list of names       30/5/2023 9:30
UserA                 list of names       30/5/2023 9:40
(both field1 and field2 are same as in first row but different time values)

So, if there are two same users (from field1) and same list of names (from field2), In this case, I need a consolidated event count ... Say for above scenario, my count of events should be 2 based on the field1 and field2 irrespective of the _time field..

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-31-2023 04:27 AM

If you are trying to find new events when the job is running 2 hours later, why not just set the timeframe to -2h@h?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

    Are you ready to transform how your team handles complex data requests? We invite you to our upcoming ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...