Splunk Search

Using field from subsearch in stats

infcl
Explorer

I have one type of log (let's call A) with format:
type=log a; name={name};

I also have log type B with format:
type=log b; name={name}; id={id};

I am looking to generate this table:
name | id | # of unique (name, id) values
name must originate from a log of type A, and id must come from a log of type B that has the same name value.

I only have the simple part down:
name | # of unique (name) values
type="log a" | stats dc(name) by name

I would appreciate help.

0 Karma

niketn
Legend

@infcl you can use stats for this kind of correlation. Based on your question seems like name is the key field to correlate type a and type b data.
Final filter for checking both type a and type b in the final results is to ensure that data being correlated is present in both logs and not only log b

| makeresults 
| eval _raw="type=log a; name=alpha;" 
| KV 
| append 
    [| makeresults 
    | eval _raw="type=log b; name=alpha;id=123" 
    | KV]
| stats values(type) as types latest(id) as id by name
| search types IN ("log a","log b")

Queries from | makeresults till | KV] is used to generate dummy data as per the question. Please plug in your existing query. Since you have not provided the field names or your current SPL, you may have to correct field names in the stats query.

Please try out and confirm.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

infcl
Explorer

It seems you are hardcoding the values for name and id. Instead, I want to generate a table of all values for these fields, as long as there is a log of them.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...