Splunk Search

How to merge search from 2 different sources?

aymane96
Engager

Hello,

I would like to do a search to filter some result matching my conditions and then use a common ID field to combine result with an other source.

Lets say :

 

SOURCE A :                       

  • field ID 
  • field x
  • field y 

 

SOURCE B : 

  • field ID 
  • field z

 

I want to do a search with some condition on Source A : Index=A sourcetype=A'  "x=value" "y<=value"

and then use a join to get value "z"  for the result that i got from main search.

 

For now i have something like this :

 

 

 

index=A sourcetype=A'  "x=value" "y<=value"
| join [ search index=B sourcetype=B' | fields ID
| stats count by z

 

 

 

 

It does not seems to work. 

Labels (1)
Tags (2)
0 Karma

aymane96
Engager

Hello @gcusello,

 

Thank you for your quick answer 

I already tried to use the stats command. I just tried your method but the problem is that i have more result with this query than the main search: 

index=A sourcetype=A "x=value" "y<=value"

 It seems that it does not match only these result but it is more like it appends all the result of the search

index=B sourcetype=B

 

Actually, i want to use index B just for the information in field z,  the scope will be the result of the main search. 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @aymane96,

let me understand: has the main search results?

could you share some sample of x and y and value, to better understand conditions?

Ciao.

Giuseppe

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
index=A sourcetype=A  x="value"
| where y<=value
| join ID [ search index=B sourcetype=B | fields ID z ]
| stats count by z
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @aymane96,

remember that Splunk isn't a DB, so join command must be used only when there isn't any other solution as last choice, because it's very slow and consumes many resources!

in you case, you could join the two sources using the stats command BY the common key (z), something like this:

(index=A sourcetype=A "x=value" "y<=value") OR (index=B sourcetype=B)
| stats values(x) AS x values(y) AS y count by z

if in addition you want also to put the condition that common key (z) values must be in both indexes, you could use something like this:

(index=A sourcetype=A "x=value" "y<=value") OR (index=B sourcetype=B)
| stats values(x) AS x values(y) AS y dc(index) AS dc_index count by z
| where dc_index=2

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...