Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Looking for field values present in one index missing from another index?

djconroy
Path Finder
‎04-21-2015 01:28 PM

I have one index with a field "MessageId" that is common with another index.

I need to got through all the values of MessageId in index1, and then search index2 to make sure they are also there.

I was trying to use an outer join to do this with the following syntax:

search index=index1
sourcetype=sourcetype1 Function=SubscriberFunction ClockTypeId=1 OR ClockTypeId=2 earliest=-5d@d latest=-4d@d
| eval ClockPunchID=MessageId
| eval Status1="Received"
| join ClockPunchID type=outer [search index=index2 * | eval ClockPunchID=MessageId | eval Status2 = "Received" ]
| eval Status = if(match(Status1,Status2), "Complete", "Incomplete")
| table ClockPunchID ClockTypeId Status1 Status2 Status

The problem I am getting is I get no results at all from my index2 search. All values of Status2 are blank. If I manually copy and paste the subsearch syntax into a separate search window I get exactly what I would expect, but as part of a join I get nothing, only the index1 results.

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎04-21-2015 01:41 PM

So, you have the field MessageId extracted in both indexes and want to know what values are in only one index and what values are in both? Try this:

  (index=index1 sourcetype=sourcetype1 Function=SubscriberFunction ClockTypeId=1 OR ClockTypeId=2) OR (index=index2)
| stats values(index) as indexes values(ClockTypeId) as ClockTypeId by MessageId
| eval Status = if(mvcount(indexes)==2, "Complete", "Incomplete")
| rename MessageId as ClockPunchID

View solution in original post

Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎04-21-2015 01:41 PM

So, you have the field MessageId extracted in both indexes and want to know what values are in only one index and what values are in both? Try this:

  (index=index1 sourcetype=sourcetype1 Function=SubscriberFunction ClockTypeId=1 OR ClockTypeId=2) OR (index=index2)
| stats values(index) as indexes values(ClockTypeId) as ClockTypeId by MessageId
| eval Status = if(mvcount(indexes)==2, "Complete", "Incomplete")
| rename MessageId as ClockPunchID
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎04-21-2015 02:22 PM

Append this to only keep events that exist in index1 or both:

... | search indexes="index1"

That's translated into "the multi-valued field indexes contains the value index1".

Reply
Solved! Jump to solution

djconroy
Path Finder
‎04-21-2015 02:42 PM

Great, thank you!

0 Karma
Reply
Solved! Jump to solution

djconroy
Path Finder
‎04-21-2015 02:14 PM

That is getting me close... but there is a delay in the Messages getting to Index2, which can skew results. I'm not really concerned if they are in index2 but not in index1. Is there a way to filter out occurrences where the MessageId exists in index2 but not index1?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...