Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Visually correlate two searches by field and count

Ted-Splunk
Engager
Thursday

There is an async process that logs first when something is created, then again when it is picked up by a service that will send a notification. I would like to create a visual that easily identifies customers with dropped notifications. (The two events occur within a minute.) I have two searches that share a common ID and identify the events above. When things are working well the counts by customer per day will be the same from both searches.  Is it possible to correlate the two searches to show any differences in these counts?

In this sanitized example MyIdA is the ID from search A while MyIdB is the same ID from search B

(search A) OR (search B)
| rex "cust (?<MyIdA>\d+)"
| rex "\"custId\",\"value\":\"(?<MyIdB>\d+)"

Labels (2)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
Thursday

Hi @Ted-Splunk ,

you should correlate the two searches using the common key (using eval coalesce) and check the presence in both searches (e.g. if they are in different indexes), something like this:

(search A) OR (search B)
| rex "cust (?<MyIdA>\d+)"
| rex "\"custId\",\"value\":\"(?<MyIdB>\d+)"
| eval key=coalesce(MyIdA,MyIdB)
| stats dc(index) AS inex_count BY key
| where index_count>1

 modify the condition based on the way to identify the two searches.

Ciao.

Giuseppe

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
yesterday

I think you meant index_count < 2, not > 1 because OP wants to find keys with differing counts.

The formula is suitable if maximum number each key can appear in an index is 1.  If the key can appear more than once and the OP wants to find keys that have differing counts, the formula should change to

(search A) OR (search B)
| rex "cust (?<MyIdA>\d+)"
| rex "\"custId\",\"value\":\"(?<MyIdB>\d+)"
| eval key=coalesce(MyIdA,MyIdB)
``` above is the same as gcusello's ```
| stats count by key index
| eval index_count = index . ": " . count
| stats values(index_count) as index_count dc(count) as _distinct_count by key
| where _distinct_count > 1 OR mvcount(index_count) < 2

In the following scenario, for example,

indexkey
index1A
index1B
index2A
index2B
index2C
index2B

simply counting indices with condition index_count < 2 will give

keyindex_count
C1

This misses the differing counts for key B.  The more nuanced counts presented here will give

key
index_count
B
index1: 1
index2: 2
Cindex2: 1

As as side, the original formula by simple count of indices with index_count > 1 will give

keyindex_count
A2
B2

This is also incorrect because A is perfectly balanced while B is not.

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | When is October more than just the tenth month?

October 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What’s New & Next in Splunk SOAR

 Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us for an ...