Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Multiple source types in one search

sandeep_thosar
Explorer
‎04-01-2013 03:17 AM

Hi Team,

I have following scenario

source type :A contains Account Number
Source type :B Contains Account ID & Date

Want to write search to join this two source types and at the same time want to find Account Number of source type A in Account ID of source type B

Please help.

thanks in advance.

Tags (1)
Reply

strive
Influencer
‎07-18-2014 09:28 PM

You can achieve this using subsearches.
Note: dont forget to read the performance of subsearches in splunk documentation.

The below two links will help you

http://answers.splunk.com/answers/78899/problem-searching-for-matching-fields-within-multiple-source...
http://docs.splunk.com/Documentation/Splunk/6.1.2/Search/Aboutsubsearches

Reply

smolcj
Builder
‎04-01-2013 03:37 AM

index=yourindex sourcetype=A | stats values(accountnumber) as accountid |join accountid [search index=yourindex sourcetype=B|table accountid date ]

did u try this?

0 Karma
Reply

strive
Influencer
‎07-18-2014 09:30 PM

You can achieve this using subsearches.
Note: dont forget to read the performance of subsearches in splunk documentation.

The below two links will help you

http://answers.splunk.com/answers/78899/problem-searching-for-matching-fields-within-multiple-source...
http://docs.splunk.com/Documentation/Splunk/6.1.2/Search/Aboutsubsearches

0 Karma
Reply

lbogle
Contributor
‎07-18-2014 06:24 PM

I have a similar search I am trying to work out except with machine hostnames. Single index w/ 5 different sources and am trying to build a report showing if a particular hostname shows up in each of the sources or perhaps highlight which source it's missing from.

0 Karma
Reply

sandeep_thosar
Explorer
‎04-01-2013 11:34 PM

My scenario is i have one Index which conatins two source files for ex. Source type="A" and Source Type="B". Both files contains Account ID which will be extracted using rex command. Now i want to search if account ID from Source type "A" is present in Source Type "B" then i want to extract customer ID from Source Type "B".

0 Karma
Reply

smolcj
Builder
‎04-01-2013 05:31 AM

sandeep, would u mind providing some more details?
like what was the output of this query and how your requirement differ from its output?
As I am not an expert in splunk, it may help me.
Thank u

0 Karma
Reply

sandeep_thosar
Explorer
‎04-01-2013 04:14 AM

Hi,

Thanks for help I am already tryed this but it's not fulfilled my requirements and i want to search Acccount Number from Source type A and on the basis of that want some values and Account ID from source B.

Please help as i am new to splunk.

Thanks in advance

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...