Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

how to compare 2 sourcetypes and fill data accordingly in a field

dtccsundar
Path Finder
‎11-16-2021 03:46 AM

Hi,

I have 2 sourcetypes with same index like ( index=A sourcetype= compare and index=A sourcetype= Fire)

i am doing outer join to get data from both sourcetypes for comparing whether agents are installed in machines in both sourcetypes .How to check a newly added machine in a sourcetype in Sourcetype=Compare and not in Sourcetype=Fire which is a old one.Currently i am not seeing the newly added machines from Compare sourcetype

My code :

index=A sourcetype=Compare
| fillnull value=""
| join type=outer Name
[ search index=A sourcetype=Fire
| fillnull value=""]

| table Name Agent

 

 

 

 

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-16-2021 05:09 AM

From the detail you have provide, it is difficult to see what might be going wrong. You could try approaching it a different way

index=A (sourcetype=Compare OR sourcetype=Fire)
| fillnull value=""
| stats values(*) as * values(sourcetype) as sourcetype by Name
| table Name Agent

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-16-2021 05:09 AM

From the detail you have provide, it is difficult to see what might be going wrong. You could try approaching it a different way

index=A (sourcetype=Compare OR sourcetype=Fire)
| fillnull value=""
| stats values(*) as * values(sourcetype) as sourcetype by Name
| table Name Agent
0 Karma
Reply
Solved! Jump to solution

dtccsundar
Path Finder
‎11-16-2021 10:22 AM

Thank you for your search which helped but still join worked with this stats .

Further , i am not able differentiate which sourcetype the Name belongs too.This is needed becoz when the Name is available in a sourcetype the other sourcetypes Agent should be changed as "Not in Scope" based on the sourcetype with which the Name belongs too.

my query is like ,

index=A (sourcetype=Compare OR sourcetype=Fire)
| fillnull value=""
| stats values(*) as * values(sourcetype) as sourcetype by Name

| eval Status=if(Fire_Agent_Version = "" AND Compare_Agent_Version = "","Not Covered","Covered")
|eval Compare_Agent_Version=if(Status="Not Covered","Not installed",Compare_Agent_Version)
|eval Fire_Agent_Version=if(Status="Not Covered" AND Compare_Agent_Version="Not installed","Not in Scope",Agent_Version)

|eval Fire_Agent_Version=if(Status="Not Covered" AND Compare_Agent_Version="Not installed","Not in Scope",Fire_Agent_Version)

| table sourcetype Name, Fire_Agent_Version, Compare_Agent_Version, Status

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...