Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to show data from TWO different sourcetypes ?

zacksoft_wf
Contributor
‎01-21-2022 03:44 AM

I have,
sourcetype_A  (fields : ID, age, city, state)
sourcetype_B  (fields : ID, job, salary, gender)

The fields "ID" is common in both sourcetype_A and B but with a caveat.
example1 : for ID = 1687, it is present in sourcetype_A as 0001687 , in sourcetype_B as 1687
example2 : for ID = 9843, it is present in sourcetype_A as 009843 , in sourcetype_B as 9843
example3 : for ID = 8765, it is present in sourcetype_A as 08765 , in sourcetype_B as 8765
where 1687, 9843, 8765 are the actual IDs. zeros are creating mess in sourcetype_A .

I am not allowed to use join, So this is what I am trying but I am not seeing all my data.

===================================
(index=country) sourcetype=sourcetype_A OR sourcetype=sourcetype_B
| eval ID = ltrim(ID,"0")
| eventstats dc(sourcetype) as dc_st
| where dc_st >1
| table ID, age, city, state,  job, salary, gender
===================================

I also tried | stats values (age) as age 
                                ........
     ..........................................................
                  by ID.
But stats gave me massive multivalue fields with messy duplicates. I am asked to get in one row per data (no multivalues )

Any help ?

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎01-21-2022 05:11 AM

Hi @zacksoft_wf,

use stats, something like this:

index=country (sourcetype=sourcetype_A OR sourcetype=sourcetype_B)
| eval ID = ltrim(ID,"0")
| stats 
   count AS dc_st 
   values(age) AS age 
   values(city) AS city 
   values(state) AS state 
   values(job) As job 
   values(salary) AS salary 
   values(gender) AS gender
   By ID
| where dc_st >1

if you have a multivalue field, you can expand it adding at the end:

| mvexpand <field>

Ciao.

Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎01-21-2022 05:11 AM

Hi @zacksoft_wf,

use stats, something like this:

index=country (sourcetype=sourcetype_A OR sourcetype=sourcetype_B)
| eval ID = ltrim(ID,"0")
| stats 
   count AS dc_st 
   values(age) AS age 
   values(city) AS city 
   values(state) AS state 
   values(job) As job 
   values(salary) AS salary 
   values(gender) AS gender
   By ID
| where dc_st >1

if you have a multivalue field, you can expand it adding at the end:

| mvexpand <field>

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎01-21-2022 07:03 AM

Hi @zacksoft_wf,

good for you, see next time!

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...