Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to modify my stats search to join multiple fields from three sources?

davesullivan41
Engager
‎10-04-2016 03:43 PM

I have data coming in from three sources, with three different sets of fields:

Source 1: Filename
Source 2: Filename, Unique_Identifier
Source 3: Unique_Identifier

These sources all work with the same data, and the data flows from Source 1 to Source 2 to Source 3.

I would like to generate a report on data flowing through these three sources, and am trying to run stats to do so, e.g.

search query | stats range(_time)  by Unique_Identifier, Filename

But this is only returning data from source 2 where both the Unique_Identifier and Filename fields both exist. Is there a good way to include records from Source 1 and Source 3 as well?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sundareshr
Legend
‎10-04-2016 04:11 PM

You could edit your current search to include Filename & Unique_Identifier to all 3 sources using eventstats like this

search query | eventstats values(Filename) as Filename by  Unique_Identifier | eventstats values(Unique_Identifier) as Unique_Identifier by Filename | stats range(_time)  by Unique_Identifier, Filename

View solution in original post

Reply
Solved! Jump to solution
Solution

sundareshr
Legend
‎10-04-2016 04:11 PM

You could edit your current search to include Filename & Unique_Identifier to all 3 sources using eventstats like this

search query | eventstats values(Filename) as Filename by  Unique_Identifier | eventstats values(Unique_Identifier) as Unique_Identifier by Filename | stats range(_time)  by Unique_Identifier, Filename
Reply
Solved! Jump to solution

davesullivan41
Engager
‎10-05-2016 02:07 PM

That seems to have worked, thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...