×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
ms2151077
Engager
Member since: ‎03-27-2024
‎03-27-2024
Community Statistics
Posts 2
Solutions 0
Karma Given 1
Karma Received 0
Member Since ‎03-27-2024
View All

Re: Filtering out events based on common field and...

by in Splunk Search
‎03-27-2024 03:49 AM
‎03-27-2024 03:49 AM
Thanks so much! This is exactly what I was trying to achieve. Apologies about the wrongly formatted data, but your dummy data is correct. For wildcard, I meant a field name that appears multiple times but can have any number of different subfields (i.e. `wildcard_field.*`) but I wasn't sure if this was the correct terminology, but your answer does work exactly for this field. Thanks again for your answer. It solves my problem, and I have also learnt a bit more about searching in Splunk, which I really appreciate. 👍 ... View more

Filtering out events based on common field and col...

by in Splunk Search
‎03-27-2024 02:19 AM
‎03-27-2024 02:19 AM
I'm trying to achieve the following search and hoped others might have some helpful suggestions? I have two events from a summary index: `type_A` and `type_B`. They share a common field `entity_id` that may or may not match. I want to get all events of `type_B` where there is an event of `type_A` with a matching `entity_id`.  From this result, in `type_B` I have some wildcard fields (a common `wildcard_field` name with different sub-fields, such as `wildcard_field.field1`, `wildcard_field.field2`) and I want to extract the data for those fields into a table for visualisation. Example of event structure:     { event: type_A; entity_id: 123; } { event: type_B; entity_id: 123; // Matches a type_A event wildcard_field.field1: val1; wildcard_field.field2: val2; } { event: type_B; entity_id: 345; // This one won't have a matching type_A event wildcard_field.field1: val1; wildcard_field.field2: val2; }     Thank you for any suggestions   ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎03-27-2024 12:03 PM
Karma given to
View All