Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to merge search from 2 different sources?

aymane96
Engager
‎05-04-2022 05:55 AM

Hello,

I would like to do a search to filter some result matching my conditions and then use a common ID field to combine result with an other source.

Lets say :

 

SOURCE A :                       

  • field ID 
  • field x
  • field y 

 

SOURCE B : 

  • field ID 
  • field z

 

I want to do a search with some condition on Source A : Index=A sourcetype=A'  "x=value" "y<=value"

and then use a join to get value "z"  for the result that i got from main search.

 

For now i have something like this :

 

 

 

index=A sourcetype=A'  "x=value" "y<=value"
| join [ search index=B sourcetype=B' | fields ID
| stats count by z

 

 

 

 

It does not seems to work. 

Labels (1)
Labels
Tags (2)
0 Karma
Reply

aymane96
Engager
‎05-04-2022 06:16 AM

Hello @gcusello,

 

Thank you for your quick answer 

I already tried to use the stats command. I just tried your method but the problem is that i have more result with this query than the main search: 

index=A sourcetype=A "x=value" "y<=value"

 It seems that it does not match only these result but it is more like it appends all the result of the search

index=B sourcetype=B

 

Actually, i want to use index B just for the information in field z,  the scope will be the result of the main search. 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎05-04-2022 06:23 AM

Hi @aymane96,

let me understand: has the main search results?

could you share some sample of x and y and value, to better understand conditions?

Ciao.

Giuseppe

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-04-2022 06:04 AM 
index=A sourcetype=A  x="value"
| where y<=value
| join ID [ search index=B sourcetype=B | fields ID z ]
| stats count by z
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎05-04-2022 06:04 AM

Hi @aymane96,

remember that Splunk isn't a DB, so join command must be used only when there isn't any other solution as last choice, because it's very slow and consumes many resources!

in you case, you could join the two sources using the stats command BY the common key (z), something like this:

(index=A sourcetype=A "x=value" "y<=value") OR (index=B sourcetype=B)
| stats values(x) AS x values(y) AS y count by z

if in addition you want also to put the condition that common key (z) values must be in both indexes, you could use something like this:

(index=A sourcetype=A "x=value" "y<=value") OR (index=B sourcetype=B)
| stats values(x) AS x values(y) AS y dc(index) AS dc_index count by z
| where dc_index=2

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...