Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to reconcile a field in two different sourcety...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
leonjxtan
Path Finder
05-23-2017
05:59 AM
My use case is:
There is sourcetype1, which has tradeID field; also sourcetype2, which also has tradeID field.
I think sourcetype2 should be a subset of sourcetype1, and I want to do reconciliation.
How to write a search so that it returns all tradeID in sourcetyp1, but not in sourcetype2?
Thanks.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
05-23-2017
02:51 PM
Like this:
index=foo sourcetype=sourcetype1 OR sourcetype=sourcetype2
| eval tradeID=if((sourcetype=sourcetype1), tradeID, null())
| Your Other Stuff Here
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
gvnd
Path Finder
05-24-2017
02:15 AM
Try this one:
index=* sourcetype=sourcetype1 OR sourcetype=sourcetype2
| stats dc(sourcetype as sourcetypes values(sourcetype) as sourcetype by tradeID
| search sourcetype=sourcetype1 AND sourcetypes= 2
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
05-23-2017
02:51 PM
Like this:
index=foo sourcetype=sourcetype1 OR sourcetype=sourcetype2
| eval tradeID=if((sourcetype=sourcetype1), tradeID, null())
| Your Other Stuff Here
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
knielsen
Contributor
05-23-2017
06:42 AM
Try this:
sourcetype=sourcetype1 OR sourcetype=sourcetype2 | stats count by tradeID,sourcetype | xyseries tradeID sourcetype count | fillnull sourcetype1 sourcetype
2 | search sourcetype1>0 sourcetype2=0 | fields tradeID
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
dineshraj9
Builder
05-23-2017
06:02 AM
You can use a subsearch to find all tradeID in sourcetype2 and filter them from sourcetype1 -
sourcetype=sourcetype1 NOT [ search sourcetype=sourcetype2 | dedup tradeID | table tradeID ] | dedup tradeID | table tradeID
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
leonjxtan
Path Finder
05-23-2017
06:22 AM
Thanks.
I tried this search, but strangely 9 seconds are spent on parsing the search. Is it normal for sub-search?
918.18 startup.handoff
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
dineshraj9
Builder
05-23-2017
06:49 AM
This approach should be faster -
sourcetype=sourcetype1 OR sourcetype=sourcetype2 | eval flag=if(sourcetype=sourcetype2,1,0) | stats sum(flag) as flag by traceID | where flag=0
Get Updates on the Splunk Community!
Enterprise Security Content Update (ESCU) | New Releases
In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
(This is the first of a series of 2 blogs).
Splunk Enterprise Security is a fantastic tool that offers robust ...
Index This | What are the 12 Days of Splunk-mas?
December 2024 Edition
Hayyy Splunk Education Enthusiasts and the Eternally Curious!
We’re back with another ...
