Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to separate sets of information with same field values without using JOIN?

karthi2809
Builder
‎04-23-2024 04:56 AM

Hi All,

I have field called filename .SO i want to populate the result from the filename field and i created two joins to separate. Is there any other way without using Join

Success File and Failure File

 

| join CorrelationId type=left
[ | search index=mulesoft applicationName IN (TEST) AND message IN ("*File put Succesfully*" ,"*successful Call*" , "*file processed successfully*" , "*Archive file processed successfully*" , "*processed successfully for file name*")
| rename content.Filename as SuccessFileName correlationId as CorrelationId
| table CorrelationId SuccessFileName
| stats values(*) as * by CorrelationId]
| table CorrelationId InterfaceName ApplicationName FileList SuccessFileName Timestamp
| join CorrelationId type=left
[ | search index=mulesoft applicationName IN (p-oracle-fin-processor , p-oracle-fin-processor-2 , p-wd-finance-api) AND priority IN (ERROR,WARN)
| rename content.Filename as FailureFileName correlationId as CorrelationId timestamp as ErrorTimestamp content.ErrorType as ErrorType content.ErrorMsg as ErrorMsg
| table FailureFileName CorrelationId ErrorType ErrorMsg ErrorTimestamp

 

 

Labels (3)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎04-23-2024 05:01 AM

Hi @karthi2809,

to help you I need also the main search.

Anyway, you should:

  • create a main search putting in OR the three searches,
  • correlate them using the stats command By the common key and adding values(field_name) As field_name for each field that you want to display.

Ciao.

Giuseppe

0 Karma
Reply

karthi2809
Builder
‎04-23-2024 05:22 AM

Hi @gcusello 
Yes for that i used stats values of filed name .But i cant able to seperate the error and succes file

This is my new query :

index=mulesoft environment=* (applicationName IN ("Test"))  
| stats  values(content.FileList{})  as FileList values(content.FileName)  as Filename values(content.Filename) as filename1 min(timestamp) AS Logon_Time, max(timestamp) AS Logoff_Time BY correlationId applicationName   
| eval  Status=case(priority="ERROR","ERROR", priority="WARN","WARN", priority!="ERROR","SUCCESS")
| eval SuccessFileName=mvdedup(mvfilter(match(message, "%succesfully*")  OR match(message, "Summary of all Batch*") ) )|eval SuccessFileName= coalesce(Filename,filename1)
| eval FailureFileName=mvdedup(mvfilter(match(priority, "WARN")  OR match(priority, "ERROR") ) )|eval FailureFileName= coalesce(Filename,filename1)|table SuccessFileName FailureFileName

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎04-23-2024 06:02 AM

Hi @karthi2809,

after a stats command you have only the fields present in the stats command, so in your case you don't have priority and message fields that you would use in the evals after the stats.

Locate the eval before the stats and add the related fields to the stats.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

A few months ago, we released Splunk Enterprise Security 8.0 for our cloud customers. Today, we are excited to ...

Logs to Metrics

Logs and Metrics Logs are generally unstructured text or structured events emitted by applications and written ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...