×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
ravi_lookout
Explorer
Member since: ‎09-26-2024
‎04-28-2025
Community Statistics
Posts 6
Solutions 0
Karma Given 2
Karma Received 0
Member Since ‎09-26-2024
Activity Feed
View All

Re: How to check if a nested json object is presen...

by in Splunk Search
‎04-21-2025 03:47 AM
‎04-21-2025 03:47 AM
This worked well @ITWhisperer . Thanks for the quick turnaround ... View more

How to check if a nested json object is present or...

by in Splunk Search
‎04-21-2025 03:29 AM
‎04-21-2025 03:29 AM
I have a few records in the splunk like this {"timeStamp":"2025-04-21T08:21:40.000Z","eventId":"test_eventId_1","orignId":"test_originId_1","tenantId":"test_tenantId","violation_stats":{"Key1":11,"Key2":23,"Key3":1,"Key4":1,"Key5":1},"lastModifier":"test_admin","rawEventType":"test_event"} {"timeStamp":"2025-04-21T08:21:40.000Z","eventId":"test_eventId_2","orignId":"test_originId_2","tenantId":"test_tenantId","violation_stats":{"Key1":1,"Key10":1},"lastModifier":"test_admin","rawEventType":"test_event"} {"timeStamp":"2025-04-21T08:21:40.000Z","eventId":"test_eventId_3","orignId":"test_originId_3","tenantId":"test_tenantId","violation_stats":{"Key6":1,"Key7":2,"Key8":1,"Key9":4},"lastModifier":"test_admin","rawEventType":"test_event"} {"timeStamp":"2025-04-21T08:21:40.000Z","eventId":"test_eventId_4","orignId":"test_originId_4","tenantId":"test_tenantId","lastModifier":"test_admin","rawEventType":"test_event"}   Now, I need to check how many records contain the violation_stats field and how many do not. I tried the below query, but it didn't work index="my_index" | search violation_stats{}=*   I checked online and got to know that I might need to use spath. However, since the keys inside the json are not static, I am not sure how I can use spath for my result. ... View more
Labels

Re: How to join search results from two indexes ba...

by in Splunk Search
‎09-30-2024 03:54 AM
‎09-30-2024 03:54 AM
@PickleRick , sorry I am not sure I fully understand. May I know where are we using the index_2 at all in the query? Also, if I have to form the dummy data, would I not rather have two CSVs - one for the index_1 data and the other for index_2 data? Btw, I tried to run the query, I am not getting the data in the tabular format. Adding this - table index1Id, curEventOrigin, curEventId, prevEventOrigin, prevEventId to the end of your query didn't help. Thanks Ravi ... View more

Re: How to join search results from two indexes ba...

by in Splunk Search
‎09-26-2024 08:54 AM
‎09-26-2024 08:54 AM
@PickleRick , thanks for responding. 1. I just posted a sample for each of the indexes as a reply to Tred_splunk's question. Can you please check and see if that makes it clear? - https://community.splunk.com/t5/Splunk-Search/How-to-join-search-results-from-two-indexes-based-on-multiple/m-p/700245/highlight/true#M237645 2. stats based search is good and I will consider your suggestion of adding only the necessary fields. However, this query is incomplete (in the sense that I am able to correlate only 1 event from index_2 to index_1 but not the other event) 3. The initial thought of renaming was to provide the distinction between two events from the same index (index_2) by identifying them as "current" and "previous" I hope I was able to clarify. Thanks ... View more

Re: How to join search results from two indexes ba...

by in Splunk Search
‎09-26-2024 08:49 AM
‎09-26-2024 08:49 AM
Sample form index_1 { "index1Id": "Id_1", "currEventId": "EventId_1", "prevEventId": "EventId_2" }   EventId_1 from index_2 { "eventId": "EventId_1", "eventOrigin": "EventOrigin_1", }   EventId_2 from index_2 { "eventId": "EventId_2", "eventOrigin": "EventOrigin_2", }   The final result I am looking for, after the search  index1Id prevEventId prevEventOrigin currEventId currEventOrigin Id_1 EventId_2 EventOrigin_2 EventId_1 EventOrigin_1   Thanks @tread_splunk  ... View more

How to join search results from two indexes based ...

by in Splunk Search
‎09-26-2024 05:26 AM
‎09-26-2024 05:26 AM
I have 2 indexes - index_1 and index_2 index_1 has the following fields index1Id currEventId prevEventId index_2 has the following fields index2Id eventId eventOrigin currEventId and prevEventId  in index_1 will have the same values as that of eventId of index_2 Now, I am trying to create the table of the following format index1Id prevEventId prevEventOrigin currEventId currEventOrigin   I tried the joins with the below query, but I see that the columns 3 and 5 are mostly blank. So, I am not sure what is wrong with the query.       index="index_1" | join type=left currEventId [ search index="index_2" | rename eventId as currEventId, eventOrigin as currEventOrigin | fields currEventId, currEventOrigin] | join type=left prevEventId [ search index="index_2" | rename eventId as prevEventId, eventOrigin as prevEventOrigin | fields prevEventId, prevEventOrigin] | table index1Id, prevEventOrigin, currEventOrigin, prevEventId, currEventId         And based on the online suggestions, I am trying the following approach, but couldn't complete it (works fine by populating all the columns)       (index="index_1") OR (index="index_2") | eval joiner=if(index="index_1", prevEventId, eventId) | stats values(*) as * by joiner | where prevEventId=eventId | rename eventOrigin AS previousEventOrigin, eventId as previousEventId | table index1Id, previousEventId, previousEventOrigin     Please let me know an efficient way to achieve the solution. Thanks    ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎04-28-2025 07:55 AM
Karma given to
View All