Splunk Search

How to count the occurrences based off two matching fields?

innoce
Path Finder

Hi,

I have two searches,..

First search which will run once per day lookback -24h@h , latest=now cron: 5 4 * * * and writes the results to summary index. 

my base search
...
...
| collect index=summary source="base generator"


Second search will also run once per day lookback -24h@h and latest=now cron: 5 6 * * *

my base search
|join type=left field1 field 2
[ search index=summary source="*base generator*"..... ]

Now I have the results as expected something line this

Field1                 field2                     _time
UserA                 list of names       30/5/2023 9:30
UserA                 list of names       30/5/2023 9:40
(both field1 and field2 are same as in first row but different time values)

In this case, I need a consolidated event count ... Say for above scenario, my count of events should be 2 based on the field1 and field2 irrespective of the _time field..

I tried, but no luck.. any help would be much appreciated.. thanks in advance!

Labels (1)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

It is a bit confusing which results are coming from where. For example, are the results at 9:30 and 9:40 both coming from your base search of the second search?

What "additional" data are you expecting to retrieve from the join?

Note that join adds data fields to existing events, it does not add events. If you want to add events (from the summary index) use the append command instead of join.

0 Karma

innoce
Path Finder

@ITWhisperer 
Both base searches of first and second are same.. The reason to right the results of first one to summary is to get the historical events..

Now for the 2nd one, using the same base search and correlating it with summary using a join, I'm trying to retrieve the list of new events which weren't historical (not those from summary)...

Now I got the results like this...

Field1                 field2                     _time
UserA                 list of names       30/5/2023 9:30
UserA                 list of names       30/5/2023 9:40
(both field1 and field2 are same as in first row but different time values)

So, if there are two same users (from field1) and same list of names (from field2), In this case, I need a consolidated event count ... Say for above scenario, my count of events should be 2 based on the field1 and field2 irrespective of the _time field..

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

If you are trying to find new events when the job is running 2 hours later, why not just set the timeframe to -2h@h?

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...