- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to extract matched data from different ind...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to extract matched data from different index and different source based on the fields?
Below two events
Start event
Index= x source= xtype | spath application | search application= x app " saved note" RCVD | rex field=" actionid"=(?<actionid>.*)", | Rex field =log " manid=(?<mandid>.*?)", | Rex field=log "bid=(?<bid>.*" | Rex field= log " state=(?<state>.*" | Table _time bid,mandid,actionid,state
End event
Index=y sourcetype=yytype source=y "VALIDATION SUCESS" " msg got" | Rex field =msg " manid\:(?<mandid>.*?)", | Rex field=msg "actionid"\:(?<actionid>.*" | Table _time manid actionid
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi @Sekhar,
You can join both queries using append and stats.
index= x source= xtype | spath application | search application= x app " saved note" RCVD | rex field=" actionid"=(?<actionid>.*)", | rex field =log " manid=(?<mandid>.*?)", | rex field=log "bid=(?<bid>.*" | rex field= log " state=(?<state>.*" | table _time bid,mandid,actionid,state | apppend [
index=y sourcetype=yytype source=y "VALIDATION SUCESS" " msg got" | rex field =msg " manid\:(?<mandid>.*?)", | rex field=msg "actionid"\:(?<actionid>.*" | table _time manid actionid ] | stats values(*) as * by mandid, actionid- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When I excute the start event getting 40 statistics and end event result 43 statistics
But when I used append and stats getting 75 statistics.
My requirement is matching the mandid for both the events . Then I will calculate the duration from end event to start event .
How can I validate by data or query getting correct results
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this:
index= x source= xtype | spath application | search application= x app " saved note" RCVD | rex field=" actionid"=(?<actionid>.*)", | rex field =log " manid=(?<mandid>.*?)", | rex field=log "bid=(?<bid>.*" | rex field= log " state=(?<state>.*" | eval starttime=_time | table _time,bid,mandid,actionid,state | apppend [
index=y sourcetype=yytype source=y "VALIDATION SUCESS" " msg got" | rex field =msg " manid\:(?<mandid>.*?)", | rex field=msg "actionid"\:(?<actionid>.*" | table _time manid actionid | eval endtime=_time ] | stats values(*) as * by mandid | eval duration=endtime-starttime
Developer Spotlight with Paul Stout
State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...
Data-Driven Success: Splunk & Financial Services
