Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to find items from one index across other index's.

SMM10
Explorer
‎11-19-2021 02:03 PM

We have specific ID's that track how request process through the system. What I want to do search for all these ID's in one index and then join all other index's to see how these funnel down. So essentially track how a request tracks through our system, and then get all the service requests associated. I was thinking something like: 

 

index=foo
|fields service, ID
| join ID [index=*]
| stats service

 

Labels (2)
Labels
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎11-21-2021 01:32 PM

At the most basic, if you go for join, then your existing SPL should look something like this

index=foo
| stats count by service ID 
[ 
  | join ID [index!=foo]
  | stats values(service) by ID
]

but join is never a great option - it is slow and has limitations in the number of results that can be handled by the subsearch - and the solution is not to increase the limit.

As @PickleRick says, it is better to run stats across the data set you want to search and then perform stats and test operations on the results.

The question is: What do you want to do having found the correlated services - is there any other data you want to use following the initial search, if so that will dictate how your search will look.

 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎11-19-2021 02:56 PM

If all your events in question had the ID field you could do something like (rough idea)

index=* ID=* | stats values(_raw) by ID

But that would mean doing stats  across all your indexes which is not very effective to say the least.

But your join would be even worse 😉

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...