Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to extract matched data from different ind...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to extract matched data from different index and different source based on the fields?
Sekhar
Explorer
04-17-2023
11:20 PM
Below two events
Start event
Index= x source= xtype | spath application | search application= x app " saved note" RCVD | rex field=" actionid"=(?<actionid>.*)", | Rex field =log " manid=(?<mandid>.*?)", | Rex field=log "bid=(?<bid>.*" | Rex field= log " state=(?<state>.*" | Table _time bid,mandid,actionid,state
End event
Index=y sourcetype=yytype source=y "VALIDATION SUCESS" " msg got" | Rex field =msg " manid\:(?<mandid>.*?)", | Rex field=msg "actionid"\:(?<actionid>.*" | Table _time manid actionid
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
manjunathmeti
Champion
04-17-2023
11:28 PM
hi @Sekhar,
You can join both queries using append and stats.
index= x source= xtype | spath application | search application= x app " saved note" RCVD | rex field=" actionid"=(?<actionid>.*)", | rex field =log " manid=(?<mandid>.*?)", | rex field=log "bid=(?<bid>.*" | rex field= log " state=(?<state>.*" | table _time bid,mandid,actionid,state | apppend [
index=y sourcetype=yytype source=y "VALIDATION SUCESS" " msg got" | rex field =msg " manid\:(?<mandid>.*?)", | rex field=msg "actionid"\:(?<actionid>.*" | table _time manid actionid ] | stats values(*) as * by mandid, actionid- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sekhar
Explorer
04-17-2023
11:50 PM
When I excute the start event getting 40 statistics and end event result 43 statistics
But when I used append and stats getting 75 statistics.
My requirement is matching the mandid for both the events . Then I will calculate the duration from end event to start event .
How can I validate by data or query getting correct results
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
manjunathmeti
Champion
04-17-2023
11:53 PM
Try this:
index= x source= xtype | spath application | search application= x app " saved note" RCVD | rex field=" actionid"=(?<actionid>.*)", | rex field =log " manid=(?<mandid>.*?)", | rex field=log "bid=(?<bid>.*" | rex field= log " state=(?<state>.*" | eval starttime=_time | table _time,bid,mandid,actionid,state | apppend [
index=y sourcetype=yytype source=y "VALIDATION SUCESS" " msg got" | rex field =msg " manid\:(?<mandid>.*?)", | rex field=msg "actionid"\:(?<actionid>.*" | table _time manid actionid | eval endtime=_time ] | stats values(*) as * by mandid | eval duration=endtime-starttime
Get Updates on the Splunk Community!
Aligning Observability Costs with Business Value: Practical Strategies
Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...
Mastering Data Pipelines: Unlocking Value with Splunk
In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...
Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0
Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...
