Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 
Ask a Question
Solved! Jump to solution

How to modify my stats search to join multiple fields from three sources?

davesullivan41
Engager
โ€Ž10-04-2016 03:43 PM

I have data coming in from three sources, with three different sets of fields:

Source 1: Filename
Source 2: Filename, UniqueIdentifier
Source 3: UniqueIdentifier

These sources all work with the same data, and the data flows from Source 1 to Source 2 to Source 3.

I would like to generate a report on data flowing through these three sources, and am trying to run stats to do so, e.g.

search query | stats range(_time)  by Unique_Identifier, Filename

But this is only returning data from source 2 where both the Unique_Identifier and Filename fields both exist. Is there a good way to include records from Source 1 and Source 3 as well?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sundareshr
Legend
โ€Ž10-04-2016 04:11 PM

You could edit your current search to include Filename & Unique_Identifier to all 3 sources using eventstats like this

search query | eventstats values(Filename) as Filename by  Unique_Identifier | eventstats values(Unique_Identifier) as Unique_Identifier by Filename | stats range(_time)  by Unique_Identifier, Filename

View solution in original post

Reply
Solved! Jump to solution
Solution

sundareshr
Legend
โ€Ž10-04-2016 04:11 PM

You could edit your current search to include Filename & Unique_Identifier to all 3 sources using eventstats like this

search query | eventstats values(Filename) as Filename by  Unique_Identifier | eventstats values(Unique_Identifier) as Unique_Identifier by Filename | stats range(_time)  by Unique_Identifier, Filename

View solution in original post

Reply
Solved! Jump to solution

davesullivan41
Engager
โ€Ž10-05-2016 02:07 PM

That seems to have worked, thanks!

0 Karma
Reply