Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Matching values from a subsearch using append

cquinney
Communicator
‎08-01-2019 11:20 AM

I'm having an issue with matching results between two searches utilizing the append command. I realize I could use the join command but my goal is to create a new field labeled Match.

index=type1 EVENT_TYPE=Blah1 KEYFIELD=*
| append
[search index=type2 EVENT_TYPE=Blah2
| eval KEYFIELD2=field1.field2.field3.field4
| fields KEYFIELD2]
| eval results1=if(KEYFIELD=KEYFIELD2,"Match","No Match") 
| eval results2=if(match(KEYFIELD ,KEYFIELD2),"Match","No Match") 
| eval results3=if(like(KEYFIELD ,"%".KEYFIELD2."%"), "Match","No Match")

Even though I know there are "matches", my results only come back as No Match.
Any assistance on this would be greatly appreciated.

Tags (1)
Reply

cquinney
Communicator
‎08-02-2019 02:09 PM

I still required a field/column within my table stating Match or No Match. In order to accomplish this, I ended up creating a lookup file

lookup ProofOfConcept.CSV KEYFIELD as KEYFIELD OUTPUTNEW KEYFIELD as KEYFIELD2
| eval results1=if(KEYFIELD=KEYFIELD2,"Match","No Match")

When run over the last 24hrs I had both matches and no matches populate, which was to be expected.

0 Karma
Reply

woodcock
Esteemed Legend
‎08-01-2019 08:51 PM

Like this:

(index=type1 EVENT_TYPE=Blah1 KEYFIELD=*) OR (index=type2 EVENT_TYPE=Blah2)
| eval KEYFIELD=coalesce(KEYFIELD, field1.field2.field3.field4)
| stats values(*) AS * dc(index) AS index_count BY KEYFIELD

Then add some combination of logic using index=... AND/OR index_count=

Reply

grittonc
Contributor
‎08-01-2019 12:55 PM

You are appending records, which doesn't put them side-by-side. So you will never have a record that has both KEYFIELD and KEYFIELD2 to compare to each other. You will need to use a stats command that correlates the two datasets. What happens if you try this?

index=type1 EVENT_TYPE=Blah1 KEYFIELD=*
| append
[search index=type2 EVENT_TYPE=Blah2
| eval KEYFIELD=field1.field2.field3.field4
| fields KEYFIELD, index]
| stats dc(index) as index_count by KEYFIELD
| sort -index_count

There should be some values of KEYFIELD that have an index_count of 2 if there are matches. To filter them, add |search index_count > 1 to the search.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk on November 6 at 11AM PT, and empower your SOC to reach new heights! Duration: ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...