Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

I want to match multiple fields from different indexes whether these are matching to other index or not?

nasrinmulani
New Member
‎07-20-2018 12:05 AM

I want to match multiple fields from different indexes whether these are matching to other index or not.

I was thinking to join both of them but it won't work.
It's like i want , if a1=1 and b1=2 in one index then it should be a1 = 1 and b1=2 in the another index. Such there could be 5-6 fields.

For this i am thinking to go with NOT LIKE , but not getting exact solution.

Please suggest any solution.

Thanks in advance!!

Tags (1)
0 Karma
Reply

DalJeanis
SplunkTrust
SplunkTrust
‎07-25-2018 08:11 AM

There is not really any way that we can help you answer your "maybe match, maybe not match" question unless you more fully describe the use case to us. @thambisetty's answer is very good for the question you asked, but there is something else about your system that you have not explained.

What is in each file? LIke, in real life, how would a human being know that two records belonged together, or what to report on?

If there is a single key (for example a1) or combination of keys then use this kind of setup. With a combination of keys, you would set up matchkey1, matchkey2 etc.

 (your search that gets all the records of type 1) OR
(your search that gets all the records of type 2)
| fields index foo bar  ...list all the fields you want from any record ...

| rename COMMENT as "build a synthetic key if no key exists with the same name and value on each file" 
| eval matchkey1 = case(record is type 1, build the match key for type 1 records, 
                        record is type 2, build the match key for type 2 records)

| rename COMMENT as "make sure the names and data values are identifiable as where they came from" 
| eval foo1=case(record is type 1,foo)
| eval foo2=case(record is type 2,foo)
| eval bar1=case(record is type 1,bar)
| eval bar2=case(record is type 2,bar)

| rename COMMENT as "get rid of unneeded fields then stats them all together" 
| fields index matchkey1 foo1 foo2 bar1 bar2 ...list all the fields you want from any record ...
| stats values(*) as * by matchkey1

| rename COMMENT as "Compare each field to flag any issues"
| eval myFlag1=case(foo1=foo2,"foo matches", 
    isnull(foo1) AND isnull(foo2),"foo missing from both"  
    isnull(foo1),"foo missing from file 1" 
    isnull(foo2),"foo missing from file 2"  
    foo1!=foo2,"foo changed")   
| eval myFlag2=case(bar1=bar2,"bar matches", 
    isnull(bar1) AND isnull(bar2),"bar missing from both"  
    isnull(bar1),"bar missing from file 1" 
    isnull(bar2),"bar missing from file 2"  
    bar1!=bar2,"bar changed")

and so on.

0 Karma
Reply

thambisetty
SplunkTrust
SplunkTrust
‎07-20-2018 03:31 AM

Hi @nasrinmulani,

If your data set is small, you can go for joins:

Created two data sets :

first data set contains :

a1 - {1,2,3}
b1 - {4,5,6}

second data set contains :

a1 - {1,2,3}
b1 - {4,7,8}

I think your expected outcome from the both above data sets is (1,4). if this is correct then the below solution will for you. here I have taken only two fields in join command you can take any number of fields in join.

| makeresults 
    | eval a1="1:4,2:5,3:6" 
    | makemv a1 delim=","| mvexpand a1 
    | rex field=a1 "(?<a1>\d):(?<b1>\d)" 
    | join type=left a1,b1 [| makeresults 
    | eval a1="1:4,2:7,3:8" 
    | makemv a1 delim=","| mvexpand a1 
    | rex field=a1 "(?<a1>\d):(?<b1>\d)" | eval source="innerJoin"]

Happy Splunking..:)

————————————
If this helps, give a like below.
0 Karma
Reply

nasrinmulani
New Member
‎07-20-2018 04:24 AM

Thanks Thambisetty,

Actually, this isn't matching with my requirement.
I need to check the value for field Name a1 is same from both the indexes or not.It's like checking through query both whether both indexes holds the same value for that field in splunk.

0 Karma
Reply

thambisetty
SplunkTrust
SplunkTrust
‎07-20-2018 04:32 AM

The above query is what you are looking for, you need apply filter on field which is coming from inner join to get matching fields OR try below,

index=a OR index=b
| stats dc(index) as index_count by a1 
| where index_count = 2

where condition gives you the records where a1 matches in two indexes.

if you have multiple fields to compare you just added them in by clause of stats command and index_count should be the total number of sources you would like to match your fields from.

————————————
If this helps, give a like below.
0 Karma
Reply

nasrinmulani
New Member
‎07-25-2018 05:45 AM

Thanks Balaji,
I need to get the list of those fields which are not matching i thing that i can from changing the wher condition as where index_count=1.

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...