Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to modify my stats search to join multiple fields from three sources?

davesullivan41
Engager
‎10-04-2016 03:43 PM

I have data coming in from three sources, with three different sets of fields:

Source 1: Filename
Source 2: Filename, Unique_Identifier
Source 3: Unique_Identifier

These sources all work with the same data, and the data flows from Source 1 to Source 2 to Source 3.

I would like to generate a report on data flowing through these three sources, and am trying to run stats to do so, e.g.

search query | stats range(_time)  by Unique_Identifier, Filename

But this is only returning data from source 2 where both the Unique_Identifier and Filename fields both exist. Is there a good way to include records from Source 1 and Source 3 as well?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sundareshr
Legend
‎10-04-2016 04:11 PM

You could edit your current search to include Filename & Unique_Identifier to all 3 sources using eventstats like this

search query | eventstats values(Filename) as Filename by  Unique_Identifier | eventstats values(Unique_Identifier) as Unique_Identifier by Filename | stats range(_time)  by Unique_Identifier, Filename

View solution in original post

Reply
Solved! Jump to solution
Solution

sundareshr
Legend
‎10-04-2016 04:11 PM

You could edit your current search to include Filename & Unique_Identifier to all 3 sources using eventstats like this

search query | eventstats values(Filename) as Filename by  Unique_Identifier | eventstats values(Unique_Identifier) as Unique_Identifier by Filename | stats range(_time)  by Unique_Identifier, Filename
Reply
Solved! Jump to solution

davesullivan41
Engager
‎10-05-2016 02:07 PM

That seems to have worked, thanks!

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

The Defining Technology Movement of Our Lifetime The advent of agentic AI is arguably the defining technology ...

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...
li.common.scroll-to.top