Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

how to compare 2 sourcetypes and fill data accordingly in a field

dtccsundar
Path Finder
‎11-16-2021 03:46 AM

Hi,

I have 2 sourcetypes with same index like ( index=A sourcetype= compare and index=A sourcetype= Fire)

i am doing outer join to get data from both sourcetypes for comparing whether agents are installed in machines in both sourcetypes .How to check a newly added machine in a sourcetype in Sourcetype=Compare and not in Sourcetype=Fire which is a old one.Currently i am not seeing the newly added machines from Compare sourcetype

My code :

index=A sourcetype=Compare
| fillnull value=""
| join type=outer Name
[ search index=A sourcetype=Fire
| fillnull value=""]

| table Name Agent

 

 

 

 

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-16-2021 05:09 AM

From the detail you have provide, it is difficult to see what might be going wrong. You could try approaching it a different way

index=A (sourcetype=Compare OR sourcetype=Fire)
| fillnull value=""
| stats values(*) as * values(sourcetype) as sourcetype by Name
| table Name Agent

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-16-2021 05:09 AM

From the detail you have provide, it is difficult to see what might be going wrong. You could try approaching it a different way

index=A (sourcetype=Compare OR sourcetype=Fire)
| fillnull value=""
| stats values(*) as * values(sourcetype) as sourcetype by Name
| table Name Agent
0 Karma
Reply
Solved! Jump to solution

dtccsundar
Path Finder
‎11-16-2021 10:22 AM

Thank you for your search which helped but still join worked with this stats .

Further , i am not able differentiate which sourcetype the Name belongs too.This is needed becoz when the Name is available in a sourcetype the other sourcetypes Agent should be changed as "Not in Scope" based on the sourcetype with which the Name belongs too.

my query is like ,

index=A (sourcetype=Compare OR sourcetype=Fire)
| fillnull value=""
| stats values(*) as * values(sourcetype) as sourcetype by Name

| eval Status=if(Fire_Agent_Version = "" AND Compare_Agent_Version = "","Not Covered","Covered")
|eval Compare_Agent_Version=if(Status="Not Covered","Not installed",Compare_Agent_Version)
|eval Fire_Agent_Version=if(Status="Not Covered" AND Compare_Agent_Version="Not installed","Not in Scope",Agent_Version)

|eval Fire_Agent_Version=if(Status="Not Covered" AND Compare_Agent_Version="Not installed","Not in Scope",Fire_Agent_Version)

| table sourcetype Name, Fire_Agent_Version, Compare_Agent_Version, Status

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Brute Force Account Takeover Fraud with Splunk

This article is the second in a three-part series exploring advanced fraud detection techniques using Splunk. ...

Buttercup Games: Further Dashboarding Techniques (Part 9)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Buttercup Games: Further Dashboarding Techniques (Part 8)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Top