Solved: search query

djoobbani · ‎11-09-2023

Hi there:

I have two events shown below:

Event #1

source=foo1

eventid=abcd

Event #2

source=foo2

event_id=abcd

I am trying to query the above events. The event source is different. One is foo1 and the other foo2.

I want to find these events where they are linked with their event_id (from event #1 where source is foo1) and eventid (from event #2 where the source is foo2). Basically the value for eventid and event_id must be the same.

Do u know how i can construct the query for this?

Thanks!

richgalloway · ‎11-09-2023

Define a new field that contains either eventid or event_id, whichever is present, and group events on that field.

index=foo (source=foo1 OR source=foo2) (eventid=* OR event_id=*)
| eval eventID = coalesce(eventid, event_id)
| stats values(*) as * by eventID

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎11-09-2023

Define a new field that contains either eventid or event_id, whichever is present, and group events on that field.

index=foo (source=foo1 OR source=foo2) (eventid=* OR event_id=*)
| eval eventID = coalesce(eventid, event_id)
| stats values(*) as * by eventID

---
If this reply helps you, Karma would be appreciated.

search query

subsearch

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

.conf24 | Session Scheduler is Live!!

Introducing the Splunk Community Dashboard Challenge!