Splunk Search

Join fields from 2 searches without join

jtg1703
New Member

Hi, I need some help with a little issue, I have 2 sorcetypes like this:

SOURCETYPE A:

ID_1 | DESCRIPCION
1 | RED
2 | BLUE
3 | GREEN
4 | YELLOW
5 | ORANGE

SOURCETYPE B:

ID_1 |ISSUE
1 |A
1 |B
1 |B
3 |B
4 |C

I try to find how many ID's have a issue B, the result be like this:

RED 2
GREEN 1

Currently my search use join clause, but it's very slow and i try to find the better way to do this,

someone could help me?
Regards,
J

Tags (1)
0 Karma

aberkow
Builder

You can definitely use the suggestion above about creating a lookup, and then using the lookup command like this:

| lookup csvName.csv ID_1 OUTPUT ISSUE, and then you can run aggregations on that ISSUE field (the ID_1 is the joining field)

You can use a stats command as well, but it's a bit difficult to understand what is the most ideal given the data you've given and you'd have to do a bit more fanciness with the fields. If you're just looking for instances of B, you can filter your second sourcetype to that in the base search and then run a command like this:

base search filtering to only B logs
| stats count(ISSUE) as issueCount, values(DESCRIPTION) as description by ID_1

Let me know if this is helpful/you have any other questions

0 Karma

tiagofbmm
Influencer

Seems you have material to build a static lookup. Your sourcetype A that has the description can be outputed to a lookups that you can use to enrich your stats on sourcetype B

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...