Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Weighting events based on the source they originate from

mjones414
Contributor
‎05-01-2024 07:56 AM

I have a summary index that pulls in normalized data from 2 different sources (entirely different applications that catalog and categorize the data differently).  In situations where I have events in the summary index from both sources, they are 99.99% of the time duplicates of eachother, however source 1 has better data fidelity than source 2.  Lets say if I weighted High Fidelity source with a 1 and Low fidelity source with a 2, I'm trying to find a way to filter with a by clause on another field which both events have  (like device, or ip_address).  something logically like:

|where source=coalesce("sourcename1","sourcename2") by field

but where doesnt take a by clause.

In the past I've done similar things by coalescing each field I want with a case statement, but in this case there are quite a few and I'm wondering if there's a more efficient way of doing it.

any ideas on the best way to accomplish this?

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-01-2024 10:05 AM 
| eval fidelity=if(source="source 1", 1, 2)
| eventstats min(fidelity) as best by device
| where fidelity == best

View solution in original post

Reply
Solved! Jump to solution

mjones414
Contributor
‎05-01-2024 01:34 PM

I owe you a lot of beers!

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-01-2024 10:05 AM 
| eval fidelity=if(source="source 1", 1, 2)
| eventstats min(fidelity) as best by device
| where fidelity == best
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...