Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

how to compare 2 sourcetypes and fill data accordingly in a field

dtccsundar
Path Finder
‎11-16-2021 03:46 AM

Hi,

I have 2 sourcetypes with same index like ( index=A sourcetype= compare and index=A sourcetype= Fire)

i am doing outer join to get data from both sourcetypes for comparing whether agents are installed in machines in both sourcetypes .How to check a newly added machine in a sourcetype in Sourcetype=Compare and not in Sourcetype=Fire which is a old one.Currently i am not seeing the newly added machines from Compare sourcetype

My code :

index=A sourcetype=Compare
| fillnull value=""
| join type=outer Name
[ search index=A sourcetype=Fire
| fillnull value=""]

| table Name Agent

 

 

 

 

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-16-2021 05:09 AM

From the detail you have provide, it is difficult to see what might be going wrong. You could try approaching it a different way

index=A (sourcetype=Compare OR sourcetype=Fire)
| fillnull value=""
| stats values(*) as * values(sourcetype) as sourcetype by Name
| table Name Agent

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-16-2021 05:09 AM

From the detail you have provide, it is difficult to see what might be going wrong. You could try approaching it a different way

index=A (sourcetype=Compare OR sourcetype=Fire)
| fillnull value=""
| stats values(*) as * values(sourcetype) as sourcetype by Name
| table Name Agent
0 Karma
Reply
Solved! Jump to solution

dtccsundar
Path Finder
‎11-16-2021 10:22 AM

Thank you for your search which helped but still join worked with this stats .

Further , i am not able differentiate which sourcetype the Name belongs too.This is needed becoz when the Name is available in a sourcetype the other sourcetypes Agent should be changed as "Not in Scope" based on the sourcetype with which the Name belongs too.

my query is like ,

index=A (sourcetype=Compare OR sourcetype=Fire)
| fillnull value=""
| stats values(*) as * values(sourcetype) as sourcetype by Name

| eval Status=if(Fire_Agent_Version = "" AND Compare_Agent_Version = "","Not Covered","Covered")
|eval Compare_Agent_Version=if(Status="Not Covered","Not installed",Compare_Agent_Version)
|eval Fire_Agent_Version=if(Status="Not Covered" AND Compare_Agent_Version="Not installed","Not in Scope",Agent_Version)

|eval Fire_Agent_Version=if(Status="Not Covered" AND Compare_Agent_Version="Not installed","Not in Scope",Fire_Agent_Version)

| table sourcetype Name, Fire_Agent_Version, Compare_Agent_Version, Status

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Search APIを使えば調査過程が残せます

   このゲストブログは、JCOM株式会社の情報セキュリティ本部・専任部長である渡辺慎太郎氏によって執筆されました。 Note: This article is published in both Japanese ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...