Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Matching values from a subsearch using append
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Matching values from a subsearch using append
cquinney
Communicator
08-01-2019
11:20 AM
I'm having an issue with matching results between two searches utilizing the append command. I realize I could use the join command but my goal is to create a new field labeled Match.
index=type1 EVENT_TYPE=Blah1 KEYFIELD=*
| append
[search index=type2 EVENT_TYPE=Blah2
| eval KEYFIELD2=field1.field2.field3.field4
| fields KEYFIELD2]
| eval results1=if(KEYFIELD=KEYFIELD2,"Match","No Match")
| eval results2=if(match(KEYFIELD ,KEYFIELD2),"Match","No Match")
| eval results3=if(like(KEYFIELD ,"%".KEYFIELD2."%"), "Match","No Match")
Even though I know there are "matches", my results only come back as No Match.
Any assistance on this would be greatly appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
cquinney
Communicator
08-02-2019
02:09 PM
I still required a field/column within my table stating Match or No Match. In order to accomplish this, I ended up creating a lookup file
lookup ProofOfConcept.CSV KEYFIELD as KEYFIELD OUTPUTNEW KEYFIELD as KEYFIELD2
| eval results1=if(KEYFIELD=KEYFIELD2,"Match","No Match")
When run over the last 24hrs I had both matches and no matches populate, which was to be expected.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
08-01-2019
08:51 PM
Like this:
(index=type1 EVENT_TYPE=Blah1 KEYFIELD=*) OR (index=type2 EVENT_TYPE=Blah2)
| eval KEYFIELD=coalesce(KEYFIELD, field1.field2.field3.field4)
| stats values(*) AS * dc(index) AS index_count BY KEYFIELD
Then add some combination of logic using index=... AND/OR index_count=
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
grittonc
Contributor
08-01-2019
12:55 PM
You are appending records, which doesn't put them side-by-side. So you will never have a record that has both KEYFIELD and KEYFIELD2 to compare to each other. You will need to use a stats command that correlates the two datasets. What happens if you try this?
index=type1 EVENT_TYPE=Blah1 KEYFIELD=*
| append
[search index=type2 EVENT_TYPE=Blah2
| eval KEYFIELD=field1.field2.field3.field4
| fields KEYFIELD, index]
| stats dc(index) as index_count by KEYFIELD
| sort -index_count
There should be some values of KEYFIELD that have an index_count of 2 if there are matches. To filter them, add |search index_count > 1 to the search.
Get Updates on the Splunk Community!
Dashboards: Hiding charts while search is being executed and other uses for tokens
There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...
Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...
This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...
Brains, Bytes, and Boston: Learn from the Best at .conf25
When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...
