×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Ted-Splunk
Engager
Member since: ‎07-10-2025
‎11-24-2025
Community Statistics
Posts 3
Solutions 0
Karma Given 2
Karma Received 1
Member Since ‎07-10-2025
Activity Feed
View All

Visually correlate two searches by field and count

by in Splunk Search
‎10-30-2025 10:14 AM
‎10-30-2025 10:14 AM
There is an async process that logs first when something is created, then again when it is picked up by a service that will send a notification. I would like to create a visual that easily identifies customers with dropped notifications. (The two events occur within a minute.) I have two searches that share a common ID and identify the events above. When things are working well the counts by customer per day will be the same from both searches.  Is it possible to correlate the two searches to show any differences in these counts? In this sanitized example MyIdA is the ID from search A while MyIdB is the same ID from search B (search A) OR (search B) | rex "cust (?<MyIdA>\d+)" | rex "\"custId\",\"value\":\"(?<MyIdB>\d+)" ... View more
Labels

Re: Correlating two events based on extracted fiel...

by in Splunk Search
‎07-11-2025 10:47 AM
1 Karma
‎07-11-2025 10:47 AM
1 Karma
I appreciate the response! I don't really understand how it works, but I was able to use your suggestion as a guide and came up with this. The two events have different source types so I needed the OR. I had always thought "count" was just for summing up on fields, yet here the field values I need are in the results. So I guess in my situation "where count=1" works because the primary event will always have a match. So a count of 1 means the primary search matched and the secondary didn't, not the other way around. index=idx1 (sourcetype=source1 "Queueing create notifications for EventId:") OR (NotificationService CREATED EVENT sourcetype=source2) | rex "EventId: (?<event_id1>\d+) in client (?<client_id>\d+)" | rex "\"eventId\",\"value\":\"(?<event_id2>\d+)" | eval event_id=coalesce(event_id1,event_id2) | fields client_id, event_id | stats values(*) as * count by event_id | where count=1   ... View more

Correlating two events based on extracted field va...

by in Splunk Search
‎07-10-2025 11:47 AM
‎07-10-2025 11:47 AM
There is a process I'm trying to track. It starts by generating a single event. Then asynchronously a second event is created. My problem is that the async process often fails. I would like to find all occurences of the first event that do not have a corresponding second event. I know how to search for each event independently. They share a couple common identifiers that can be extracted. I have tried a subsearch and a join but have not gotten any results. As a compressed and simplified example, here is my pseudo search index=idx1 ... (identifiers here) | rex "EventId: (?<event_id>\d+)" | join type=left event_id [ search index=idx1 ... (identifiers here) | rex "\"EventId\",\"value\":\"(?<event_id>\d+)" ] Both events occur at about the same time, usually within a second. They share the EventId extracted field which can be considered unique within the time period I'm searching. Limits are not an issue as this process occurs about 100 times a day. So how can I list out the EventIds from the main search that do not have a match in the second search? Thank you experts! ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎11-24-2025 12:15 PM
Karma from
View All
Karma given to
View All