Splunk Search

How to separate sets of information with same field values without using JOIN?

karthi2809
Builder

Hi All,

I have field called filename .SO i want to populate the result from the filename field and i created two joins to separate. Is there any other way without using Join

Success File and Failure File

 

| join CorrelationId type=left
[ | search index=mulesoft applicationName IN (TEST) AND message IN ("*File put Succesfully*" ,"*successful Call*" , "*file processed successfully*" , "*Archive file processed successfully*" , "*processed successfully for file name*")
| rename content.Filename as SuccessFileName correlationId as CorrelationId
| table CorrelationId SuccessFileName
| stats values(*) as * by CorrelationId]
| table CorrelationId InterfaceName ApplicationName FileList SuccessFileName Timestamp
| join CorrelationId type=left
[ | search index=mulesoft applicationName IN (p-oracle-fin-processor , p-oracle-fin-processor-2 , p-wd-finance-api) AND priority IN (ERROR,WARN)
| rename content.Filename as FailureFileName correlationId as CorrelationId timestamp as ErrorTimestamp content.ErrorType as ErrorType content.ErrorMsg as ErrorMsg
| table FailureFileName CorrelationId ErrorType ErrorMsg ErrorTimestamp

 

 

Labels (3)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @karthi2809,

to help you I need also the main search.

Anyway, you should:

  • create a main search putting in OR the three searches,
  • correlate them using the stats command By the common key and adding values(field_name) As field_name for each field that you want to display.

Ciao.

Giuseppe

0 Karma

karthi2809
Builder

Hi @gcusello 
Yes for that i used stats values of filed name .But i cant able to seperate the error and succes file

This is my new query :

index=mulesoft environment=* (applicationName IN ("Test"))  
| stats  values(content.FileList{})  as FileList values(content.FileName)  as Filename values(content.Filename) as filename1 min(timestamp) AS Logon_Time, max(timestamp) AS Logoff_Time BY correlationId applicationName   
| eval  Status=case(priority="ERROR","ERROR", priority="WARN","WARN", priority!="ERROR","SUCCESS")
| eval SuccessFileName=mvdedup(mvfilter(match(message, "%succesfully*")  OR match(message, "Summary of all Batch*") ) )|eval SuccessFileName= coalesce(Filename,filename1)
| eval FailureFileName=mvdedup(mvfilter(match(priority, "WARN")  OR match(priority, "ERROR") ) )|eval FailureFileName= coalesce(Filename,filename1)|table SuccessFileName FailureFileName

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @karthi2809,

after a stats command you have only the fields present in the stats command, so in your case you don't have priority and message fields that you would use in the evals after the stats.

Locate the eval before the stats and add the related fields to the stats.

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...