Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Struggling to correlate 2 sourcetypes

rmines
New Member
‎03-22-2013 10:59 AM

Hi,

I'm trying to correlate data from 2 different sourcetypes that share a common field. I think I should be able to use "transaction" to do this, but I'm struggling. To explain my use case, imagine the following two sets of data:

Source 1

Device      ID

Device_1    123

Device_1    456

Device_1    179

Device_2    456

Device_2    999

Device_2    111

Device_3    999

Device_3    123

Source 2

ID      Text

123    Example_1

456    Example_2

179    Example_3

456    Example_4

999    Example_5

111    Example_6

In the first instance I want to be able to correlate them using the "ID" field, and pull back the combined fields, as follows:

Correlated

Device      ID      Text

Device_1    123    Example_1

Device_1    456    Example_4

Device_1    179    Example_3

Device_2    456    Example_4

Device_2    999    Example_5

Device_2    111    Example_6

Device_3    999    Example_5

Device_3    123    Example_1

Further I want to be able to search based on the value of that correlated "Text" field, such as showing only events where Text="Example_5"

Device_2 999 Example_5

Device_3 999 Example_5

Apologies for the long winded build up, but if anyone can get me started on how to achieve this I'd be extremely grateful, as I'm not sure if I'm going down completely the wrong track in trying to use "transaction" for this.

Tags (2)
0 Karma
Reply

kristian_kolb
Ultra Champion
‎03-22-2013 01:51 PM

While a join might be the only option, it is a fairly expensive - especially for larger data sets.

With the data set in your example, you could get away with a transaction (faster);

sourcetype=type1 OR sourcetype=type2 | transaction ID | table Device ID Text | where Text="Example_5"

Hope this helps,

Kristian

Reply

martin_mueller
SplunkTrust
SplunkTrust
‎03-22-2013 11:18 AM

That sounds like a join to me:

sourcetype=source1 | join ID max=0 [search sourcetype=source2 Text="Example_5"]
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...

Index This | When is October more than just the tenth month?

October 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...