Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

how to compare values from two different searches and return the results if the values are equal

manojnelakurthi
New Member
‎10-06-2017 10:21 AM

I have 2 searches
Search1:
index=i_temp source=source1
Results:
xCoord=1155276.2781774567 yCoord=1885220.7999824171
xCoord=1144751.2989115883 yCoord=1919044.2279770568

Search2:
index=i_production source=feed
Results:
xCoord=1155276.2781774567 yCoord=1885220.799982417

I want to compare both the search results and return the results if the string xCoord=1155276.2781774567 yCoord=1885220.7999824171 is same in both the searches. In reality the results for bot the searches are larger in number.

Thanks

Tags (1)
0 Karma
Reply

DalJeanis
Legend
‎10-06-2017 02:04 PM

You can do something like this...

 (index=i_temp source=*source1*)  OR (index=i_production source=*feed* )
 | eval Field1=case(index=i_production,Field1)
 | eval TempTime=case(index=i_temp,_time)
 | eval ProdTime=case(index=i_production,_time)
 | fields xCoord yCoord ProdTime TempTime ...any other fields we want to keep...
 | stats values(*) as * by xCoord yCoord

If you want a field with a particular name from one index, but not from the other, then you do something like the eval Field1 line. If you need both and you need to know which is which, then use something like the eval TempTime/prodTime lines.

0 Karma
Reply

somesoni2
Revered Legend
‎10-06-2017 10:26 AM

Try this (gives list of xCoord and yCoord which are common in both indexes/sources)

(index=i_temp source=*source1*)  OR (index=i_production source=*feed* )
| stats dc(index) as indexes by xCoord yCoord 
| where indexes=2
Reply

manojnelakurthi
New Member
‎10-06-2017 11:33 AM

Thanks a lot, I am getting the list, but is there any way to get the full logs because i want to check the hostname on each of the search result to check how many requests are hitting each server for the matched xCoord and yCoord as the application is deployed on 3 servers.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...