Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to create a table based on a common field name from two sources?

svemurilv
Path Finder
‎01-09-2017 09:16 AM

HI Splunks,
I have two Splunk sources: source=source1 and source=source2. i just want to compare two source's data with one of the common Field names "ReportRequestInstanceID" and create table with the time stamp.

source1 

"2017-01-09 12:01:00" ReportRequestInstanceID="3211552", CreatedOn="2017-01-09 12:01:00.387", ReportRequestID="172837", NumberOfReportTypes="1", Title="Accordant_Amtrak", QueueNumber="2", TimeInterval="Last Effective Hour", NumberOfFilteredNetworks="0", NumberOfFilteredAdvertisers="1", NumberOfFilteredAngencies="1", NumberOfFilteredCampaigns="1", NumberOfFilteredReportingProjects="0", HasEmail="1", HasFtps="1", NumberOfDaysInWeekScheduled="7",

source -2 

2017-01-09 12:02:46" ID="6157727", ReportRequestInstanceID="3114793", DownloadTime="2017-01-09 12:02:46.567", ClientIP="64.156.167.132", DownloadMode="40", StartTime="2017-01-09 12:02:46.567"

i just want to create table for the source1.ReportRequestInstanceID | source2.ReportRequestInstanceID | source1.CreatedOn source1.ReportRequestID |source2.DownloadTime | source2.DownloadMode

Please Help me.

Thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

DalJeanis
Legend
‎01-09-2017 12:34 PM

Try something like this - 

source=source1 | fields ReportRequestInstanceID CreatedOn | join ReportRequestInstanceID type=left maxrows=0 [search source=source2 | eval Source2ReportRequestInstanceID = ReportRequestInstanceID | fields ReportRequestInstanceID Source2ReportRequestInstanceID DownloadTime DownloadMode] | table ReportRequestInstanceID Source2ReportRequestInstanceID CreatedOn DownloadTime DownloadMode

This left join should produce one line for each time a report has been downloaded in source 2, or a single line for each report in source 1 that has never yet been downloaded. It will not produce any results for items that show as downloaded in source2, but which do not exist in source1.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

DalJeanis
Legend
‎01-09-2017 12:34 PM

Try something like this - 

source=source1 | fields ReportRequestInstanceID CreatedOn | join ReportRequestInstanceID type=left maxrows=0 [search source=source2 | eval Source2ReportRequestInstanceID = ReportRequestInstanceID | fields ReportRequestInstanceID Source2ReportRequestInstanceID DownloadTime DownloadMode] | table ReportRequestInstanceID Source2ReportRequestInstanceID CreatedOn DownloadTime DownloadMode

This left join should produce one line for each time a report has been downloaded in source 2, or a single line for each report in source 1 that has never yet been downloaded. It will not produce any results for items that show as downloaded in source2, but which do not exist in source1.

0 Karma
Reply
Solved! Jump to solution

svemurilv
Path Finder
‎01-09-2017 01:34 PM

Thanks @ DalJeanis Its working.

0 Karma
Reply
Solved! Jump to solution

svemurilv
Path Finder
‎01-09-2017 01:40 PM

Thanks all

0 Karma
Reply
Solved! Jump to solution

DalJeanis
Legend
‎01-10-2017 07:56 AM

Awesome! happy to be of service.

0 Karma
Reply
Solved! Jump to solution

cmerriman
Super Champion
‎01-09-2017 12:10 PM

what about something like this? It should give you every unique value for each field by the ReportRequestInstanceID

source=source1 OR source=source2
|stats values(DownloadTime) as DownloadTime values(DownloadMode) as DownloadMode values(CreatedOn) as CreatedOn values(ReportRequestID) as ReportRequestID by ReportRequestInstanceID
0 Karma
Reply
Solved! Jump to solution

svemurilv
Path Finder
‎01-09-2017 12:33 PM

Sorry to say its not displaying the source1 values in this case, its displaying only source2 values

0 Karma
Reply
Solved! Jump to solution

gokadroid
Motivator
‎01-09-2017 10:34 AM

I think since the field should be autoextracted and is same/common in both sources can you try this below which should work straight away without any issues:

(source=source1 OR source=source2)
| table ReportRequestInstanceID, CreatedOn, ReportRequestID, DownloadTime, DownloadMode

If the index and sourcetype is same, you might wanna add those filters too something like 

index=yourIndex sourcetype=yourSourceType (source=source1 OR source=source2)
| table ReportRequestInstanceID, CreatedOn, ReportRequestID, DownloadTime, DownloadMode
0 Karma
Reply
Solved! Jump to solution

gokadroid
Motivator
‎01-09-2017 12:14 PM

Since the ReportRequestInstanceID is same, displaying it twice might be redundant and this query above will automatically return the data for the ids which match in both source1 and source2. You don't need a specific matching condition to match between source1.ReportRequestInstanceID and source2.ReportRequestInstanceID

0 Karma
Reply
Solved! Jump to solution

svemurilv
Path Finder
‎01-09-2017 12:06 PM

I need to compare the "ReportRequestInstanceID" from both sources, if ID matches in both sources then tabular few filed in both the sources and generate the report, both ReportRequestInstanceID di should display in the table.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...