Splunk Search

how to compare 2 sourcetypes and fill data accordingly in a field

dtccsundar
Path Finder

Hi,

I have 2 sourcetypes with same index like ( index=A sourcetype= compare and index=A sourcetype= Fire)

i am doing outer join to get data from both sourcetypes for comparing whether agents are installed in machines in both sourcetypes .How to check a newly added machine in a sourcetype in Sourcetype=Compare and not in Sourcetype=Fire which is a old one.Currently i am not seeing the newly added machines from Compare sourcetype

My code :

index=A sourcetype=Compare
| fillnull value=""
| join type=outer Name
[ search index=A sourcetype=Fire
| fillnull value=""]

| table Name Agent

 

 

 

 

Labels (1)
Tags (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

From the detail you have provide, it is difficult to see what might be going wrong. You could try approaching it a different way

index=A (sourcetype=Compare OR sourcetype=Fire)
| fillnull value=""
| stats values(*) as * values(sourcetype) as sourcetype by Name
| table Name Agent

View solution in original post

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

From the detail you have provide, it is difficult to see what might be going wrong. You could try approaching it a different way

index=A (sourcetype=Compare OR sourcetype=Fire)
| fillnull value=""
| stats values(*) as * values(sourcetype) as sourcetype by Name
| table Name Agent
0 Karma

dtccsundar
Path Finder

Thank you for your search which helped but still join worked with this stats .

Further , i am not able differentiate which sourcetype the Name belongs too.This is needed becoz when the Name is available in a sourcetype the other sourcetypes Agent should be changed as "Not in Scope" based on the sourcetype with which the Name belongs too.

my query is like ,

index=A (sourcetype=Compare OR sourcetype=Fire)
| fillnull value=""
| stats values(*) as * values(sourcetype) as sourcetype by Name

| eval Status=if(Fire_Agent_Version = "" AND Compare_Agent_Version = "","Not Covered","Covered")
|eval Compare_Agent_Version=if(Status="Not Covered","Not installed",Compare_Agent_Version)
|eval Fire_Agent_Version=if(Status="Not Covered" AND Compare_Agent_Version="Not installed","Not in Scope",Agent_Version)

|eval Fire_Agent_Version=if(Status="Not Covered" AND Compare_Agent_Version="Not installed","Not in Scope",Fire_Agent_Version)

| table sourcetype Name, Fire_Agent_Version, Compare_Agent_Version, Status

0 Karma
*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!

Review:





Or Learn More in Our Blog >>