Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to separate sets of information with same field values without using JOIN?

karthi2809
Builder
‎04-23-2024 04:56 AM

Hi All,

I have field called filename .SO i want to populate the result from the filename field and i created two joins to separate. Is there any other way without using Join

Success File and Failure File

 

| join CorrelationId type=left
[ | search index=mulesoft applicationName IN (TEST) AND message IN ("*File put Succesfully*" ,"*successful Call*" , "*file processed successfully*" , "*Archive file processed successfully*" , "*processed successfully for file name*")
| rename content.Filename as SuccessFileName correlationId as CorrelationId
| table CorrelationId SuccessFileName
| stats values(*) as * by CorrelationId]
| table CorrelationId InterfaceName ApplicationName FileList SuccessFileName Timestamp
| join CorrelationId type=left
[ | search index=mulesoft applicationName IN (p-oracle-fin-processor , p-oracle-fin-processor-2 , p-wd-finance-api) AND priority IN (ERROR,WARN)
| rename content.Filename as FailureFileName correlationId as CorrelationId timestamp as ErrorTimestamp content.ErrorType as ErrorType content.ErrorMsg as ErrorMsg
| table FailureFileName CorrelationId ErrorType ErrorMsg ErrorTimestamp

 

 

Labels (3)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎04-23-2024 05:01 AM

Hi @karthi2809,

to help you I need also the main search.

Anyway, you should:

  • create a main search putting in OR the three searches,
  • correlate them using the stats command By the common key and adding values(field_name) As field_name for each field that you want to display.

Ciao.

Giuseppe

0 Karma
Reply

karthi2809
Builder
‎04-23-2024 05:22 AM

Hi @gcusello 
Yes for that i used stats values of filed name .But i cant able to seperate the error and succes file

This is my new query :

index=mulesoft environment=* (applicationName IN ("Test"))  
| stats  values(content.FileList{})  as FileList values(content.FileName)  as Filename values(content.Filename) as filename1 min(timestamp) AS Logon_Time, max(timestamp) AS Logoff_Time BY correlationId applicationName   
| eval  Status=case(priority="ERROR","ERROR", priority="WARN","WARN", priority!="ERROR","SUCCESS")
| eval SuccessFileName=mvdedup(mvfilter(match(message, "%succesfully*")  OR match(message, "Summary of all Batch*") ) )|eval SuccessFileName= coalesce(Filename,filename1)
| eval FailureFileName=mvdedup(mvfilter(match(priority, "WARN")  OR match(priority, "ERROR") ) )|eval FailureFileName= coalesce(Filename,filename1)|table SuccessFileName FailureFileName

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎04-23-2024 06:02 AM

Hi @karthi2809,

after a stats command you have only the fields present in the stats command, so in your case you don't have priority and message fields that you would use in the evals after the stats.

Locate the eval before the stats and add the related fields to the stats.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to ...

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to Officially Supported Splunk ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI! Discover how Splunk’s agentic AI ...