Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Join 3 source types with common field which matches on substring

msrama5
Explorer
‎06-09-2020 01:43 PM

Hi All, I have query below which joins 3 sources 1,2,3 on id field, this works when id values matches across 3 sources, I have 1 additional condition for the ids could also match with substring matching for example-
id1=F80C05F3-19AF-40D3-AC73-19544E928D21
id2=XOP-F80C05F3-19AF-40D3-AC73-19544E928D21
id3=ABC-F80C05F3-19AF-40D3-AC73-19544E928D21
the query below needs modified for substring matching  based on id1 existing in id2 or id3 and it needs to return the results , how can this query below be  modified ?

splunk query-
sourcetype=source1 id1="*" OR sourcetype=source2 id2="*" OR sourcetype=source3 id2="*"
Id=coalesce(id1,id2,id3)
| stats count by Id sourcetype
| xyseries Id sourcetype count | fillnull source1 source2 source3 value="Not exists"
| table source1 source2 source3

Labels (3)
Labels
Tags (1)
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

    Are you ready to transform how your team handles complex data requests? We invite you to our upcoming ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...