Can someone give me the basics to do something like
find THIS in search number 1, match it to THAT in search number 2, then Create a table with THESE fields from search number 1 and THOSE fields from Search number 2 (in line on the matched fields)
Basically the Splunk equivalent of a VLookup, but I don't have a inputlookup file, its a live search.
I've done combined searches and created alerts to basically say if " this is greater than that " then alert, or "if this is NOT present in that or whatever.. and that seems to work.. but I've only ever created the table of the results after the count, not just returning them in one line.
In the attached example, I am trying to return info from a search that contains error messages and plain language explanations along with root cause and proposed fixes. I will have current searches comparing the error message to the "SitecoreError_short` field in our solutions database.
I narrowed the 'message' and the SitecoreError_Short Fields down to one specific error, but what i would want is it to search for message in SitecoreError_Short and then put the other fields like Plain_Error_Description , Root_Cause , Proposed_NextSteps in line with the error.
Ideas on how to accomplish this, or if i'm going about it completely wrong?
index="main" sourcetype="sitecore:*" message="*Object reference not set to an instance of an object.*"
| stats count by log_level,message,exception
| append
[search index=main source="C:\\SplunkLogs\\Splunk_ArkeSitecore_ErrorLogRCA.csv" SitecoreError_Short="*Object reference not set to an instance of an object.*"
| dedup SitecoreError_Short
| fields SitecoreError_Short, Plain_Error_Description, Root_Cause, Proposed_NextSteps]
Also, If a solution can be made to allow both (in this example) of the Plain_Error_Description fields to be visible, that would be awesome. (i'm thinking a multivalue of some sort?)
... View more