Hi, I have two sourcetypes with disparate pieces of information that i want to bring together. Note that there are MULTIPLE MODULES per ORG sourcetype="orglog" -> OrgName, OrgAccountNumber, OrgModuleNum sourcetype="modulelog" -> ModuleNo, ModuleType I am doing a coalesce which works just fine for me ( I recently discovered that a coalesce is the closest splunk will ever get to a full outer join - which to my understanding the JOIN type=outer command does not do) sourcetype="orglog" OR sourcetype="modulelog" | eval ModuleID=coalesce(OrgModuleNum,ModuleNo) | dedup ModuleID | * What if i want to generate a report in this format. OrgName | OrgAccountNumber | ModuleType 1 | ModuleType 2 | ModuleType3 | ModuleType4 ACME INC 123 12 99 1384 232 FAKE CORPINC 6673 0 199 787 101 I know that what I want will not come from a simple stats (that some complicated god-knows-what operation is needed here). Bear in Mind, we are only interested in counting the number of modules (NOT INTERESTED in the actual ModuleID) Am I going about this the wrong way ? I am not lazy, just trying to figure out the best possible solution (not necessarily the most elegant one) ... View more

Hi, I am trying to do a full outer join on banklog and creditunionlog such that I can find the timestamp difference between the earliest and last account transaction (sourcetype="banklog") OR (sourcetype="creditunionlog" ) | rename BankAccountNo As Acct | rename CreditUnionAccountNo As Acct | stats range(_time) by Acct This works like a charm. Except when I try to add an account number filter like such, IT DOESNT ACTUALLY WORK (!?!?!??!!) (sourcetype="banklog") OR (sourcetype="creditunionlog" ) | rename BankAccountNo As Acct | rename CreditUnionAccountNo As Acct | search Acct=1 OR Acct=2 | stats range(_time) by Acct Anybody else know how a full outerjoin ought to be done in a situation like this ? Just to state my point, I am getting the results I need, I just need to narrow it down to a few accounts (I have 10000+ accounts per day 😞 ) ... View more

All, I have a sourcetype that gives me different account names (eg. boa, ml, goldman etc) sourcetype="banklogs" | dedup accountName I want to create an alert such that if the count of these accountNames is less than 7, it will email me with the accountName that was not reported by the sourcetype in that 24 hour period. Is there a way to do that ( I can use stats and COUNT them always - send an email when its less than 7 - but all i want to do is to report the missing accountName) Any ideas on how to go about this ? ... View more

All, I have two logs with sourcetype="alphalog" and sourcetype="betalog" with the generic timestamp _time present. I am joining them on a field called accountId . What I want to do is to be able to find the difference between the "_time" values if possible ? How do I find the time difference (epoch time is fine too) between two _time values in two difference log files ? ... View more

I am trying to get records in a certain time range (11:45 AM and 1:45 PM) and I can only rely on date_ hour and date_ minute to be my anchors of division This search that I came up with is extremely inefficient (and does not work) sourcetype="syslog" | ... | eval range=case((date_hour>=11 AND date_minute>=45) AND (date_hour<=13 AND date_minute<=45)), "in", ( (date_hour<=11 AND date_minute<=45) OR (date_hour>13 AND date_minute>45)), "out" ) Any body know of a more useful alternative ? What if I want to add a date_ month comparison in there as well ? ... View more