Splunk Search

How to search for and chart multiple values for different sourcetypes?

clintla
Contributor

I'm not sure if this is a multisearch or a join or something else, but I want to chart multiple values for different sourcetypes.

For example:

Sourcetype A
field1 field2 field3 field4

Sourcetype B
field5 field6 field7 field8

Chart values(field1), values(field2), values(field3), values(field6), values(field7)

I want to search for something where the search string will be contained in field 1 & 5 will be the same & then collect all the data from those lines in Sourcetypes A & B

I get Sourcetype A or B.. but not both. However, in the "Interesting Fields" from the search, I get everything so I know the data is there.

0 Karma
1 Solution

lguinn2
Legend

Seems like this would be a start:

(sourcetype=A field1=*) OR (sourcetype=B field5=*)
| eval newField=coalesce(field1,field5)
| stats values(field2) as field2 values(field3) as field3 values(field4) as field4
        values(field6) as field6 values(field7) as field7 values(field8) as field8 by newField

But you can't chart multi-valued fields, which is what you will get if you use the values function.
Well, I guess you can use the chart command, but you can't get an actual chart... so I used the stats command.
What exactly do you want to output?

View solution in original post

lguinn2
Legend

Seems like this would be a start:

(sourcetype=A field1=*) OR (sourcetype=B field5=*)
| eval newField=coalesce(field1,field5)
| stats values(field2) as field2 values(field3) as field3 values(field4) as field4
        values(field6) as field6 values(field7) as field7 values(field8) as field8 by newField

But you can't chart multi-valued fields, which is what you will get if you use the values function.
Well, I guess you can use the chart command, but you can't get an actual chart... so I used the stats command.
What exactly do you want to output?

clintla
Contributor

The stats command works.. but due to one sourcetype has multi instances & the other has 1, they don't lineup.

I ended up doing panels w/ a drill downs that worked exceedingly well. Lisa, I think you usually come to the rescue on my questions & you did again (the answer was right but it got me going to an even better answer) ... as always.. thanks for the assistance.

clintla
Contributor

I'm almost wanting a lookup. 2 sources that I'd like to combine into 1 source really.

so field1 & field5 I want to search (those 2 fields have the same list of items). So if I search field1. I want to find those all those fields in both sourcetypes.

0 Karma

lquinn
Contributor

What is the current search that you are using?

0 Karma
Get Updates on the Splunk Community!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Enhance Security Operations with Automated Threat Analysis in the Splunk EcosystemAre you leveraging ...

Splunk Developers: Go Beyond the Dashboard with These .Conf25 Sessions

  Whether you’re building custom apps, diving into SPL2, or integrating AI and machine learning into your ...

Index This | How do you write 23 only using the number 2?

July 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this month’s ...