Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

search on multiple indexes

avitallange
Explorer
‎07-15-2013 03:42 AM

Hi,

I have two indexes: index1, index2.

index1 has a field 'Message' which index2 doesn't have.
There are duplicated messages that I'd like to dedup by |dedup Message.

I'd like to find the records with text "TextToFind" across the 2 indexes but not to get multiple records for the duplicated 'Message' field.

  • index=index1 TextToFind returns 94 results (appear in field Message)
  • index=index2 TextToFind returns 8 results (appear in field Content)
  • (index=index1) OR (index=index2) TextToFind returns 102 results

(index=index1) OR (index=index2) TextToFind | dedup Message returns 2 results from index1 only although the TextToFind appears on index2 as well (in field Content).

Could you please fix my query?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

samhughe
Path Finder
‎07-15-2013 06:31 AM

Is the text you are looking for in index1's message field or is it in a different field?
if so you could use the eval and coalesce functions (http://docs.splunk.com/Documentation/Splunk/5.0.3/SearchReference/CommonEvalFunctions) to put them into a new, single field and then dedup. If the text you are looking for isn't in index1's Message field not sure of your best option other than some of the join/subsearch type functions

View solution in original post

Reply
Solved! Jump to solution
Solution

samhughe
Path Finder
‎07-15-2013 06:31 AM

Is the text you are looking for in index1's message field or is it in a different field?
if so you could use the eval and coalesce functions (http://docs.splunk.com/Documentation/Splunk/5.0.3/SearchReference/CommonEvalFunctions) to put them into a new, single field and then dedup. If the text you are looking for isn't in index1's Message field not sure of your best option other than some of the join/subsearch type functions

Reply
Solved! Jump to solution

avitallange
Explorer
‎07-15-2013 11:55 AM

It worked with the keepempty=true, thank you!

0 Karma
Reply
Solved! Jump to solution

samhughe
Path Finder
‎07-15-2013 08:08 AM

Based on your additional comments, try:
(index=index1) OR (index=index2) TextToFind | eval newField=coalesce(Message,Content) | dedup newField

Assuming there are no duplicates of 'Content' you want to keep.

Or probably the better option is to use the keepempty=true parameter for dedup: http://docs.splunk.com/Documentation/Splunk/5.0.3/SearchReference/Dedup

Reply
Solved! Jump to solution

avitallange
Explorer
‎07-15-2013 08:06 AM

Yes, the test I am looking for is in index1's Message field.
It also appears on index2's Content field.
I updated my question above.
Your help is welcome!

0 Karma
Reply
Solved! Jump to solution

Ayn
Legend
‎07-15-2013 05:28 AM

If your first search works but your second search returns 0 results, that's because there is no field called Message in your search.

0 Karma
Reply
Solved! Jump to solution

Ayn
Legend
‎07-15-2013 08:24 AM

See hamhughe's answer which I think is spot on.

0 Karma
Reply
Solved! Jump to solution

avitallange
Explorer
‎07-15-2013 08:04 AM

I have a field called Message, I see in the left pane with many other fields. You are right, I got results but I still can't query what I want. I updated my question above.
Your help is welcome!

0 Karma
Reply
Get Updates on the Splunk Community!

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...