Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to return data based on search of one Source and lookup to a second

El_Franco
Explorer
‎10-03-2023 07:51 AM

Hopefully this will set the issue out clearly. 

I have two sources, Transaction and Request.

The Transaction holds the transaction id, date and time and user details of a user transaction.

The Request holds the request id, transaction id and an XML string with details of a users search.   

I have a query that searches the Request and returns those searches which contain specific strings. However i need to show the user details on the results  table. 

index="PreProdIndex" source="Request"
"<stringCriterion fieldName=\"Product\" operator=\"equals\" value=\"Soup\"/>"
OR "<stringCriterion fieldName=\"Product\" operator=\"equals\" value=\"Biscuits\"/>"

| table REQUEST_DATE_TIME REQUEST

So I need to add onto the table USER_DETAILS from the Source "Transaction" to the above query based on the common key of the Transaction ID. 

In SQL I would simply put in a join on Transaction.ID=Request.Transaction_ID and all would be good but I have failed to find anything that gives a SPLUNK solution yet. 

 

Labels (2)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-03-2023 09:40 AM

Splunk has a join command that may do the job, but it's inefficient.  The typical solution is to fetch both sources and then group them together by a common field using the stats command.

index="PreProdIndex" (source="Request"
"<stringCriterion fieldName=\"Product\" operator=\"equals\" value=\"Soup\"/>"
OR "<stringCriterion fieldName=\"Product\" operator=\"equals\" value=\"Biscuits\"/>") OR source="Transaction")
| stats values(*) as * by transaction_id
| table REQUEST_DATE_TIME REQUEST *

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...