Splunk Dev
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

search same requestid from different sources and fileds

diag
New Member
‎05-28-2018 02:32 AM

I don;t know what's eval command I need to here but I like to make SPL like before

sourcetype A , field_a(requestid) field_a2 , field_a3 ,field_a4

sourcetype B, field_b(requestid) field_b2, field_b3, filed_b4

(what kind of eval or join i need to use here ) ?????

where field_a(requestid)=field_b(requestid)

table field_a(requestid) field_b(requestid) field_a3 ,field_a4 ,filed_b4

Tags (1)
0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎05-28-2018 04:54 AM

Hi @diag ,

Can you please try following search?

(sourcetype=A OR sourcetype=B) (field_a=* OR field_b=*)
| eval requestid=if(isnotnull(field_a),field_a,field_b) 
| stats latest(field_a) as field_a latest(field_b) as field_b latest(field_a3) as field_a3, latest(field_a4) as field_a4,latest(field_b4) as field_b4 by requestid 
| where field_a = field_b

This is my sample search

| makeresults 
| eval sourcetype="A",field_a="1,2,3,4",field_a2="a2",field_a3="a3", field_a4="a4" 
| eval field_a=split(field_a,",") 
| mvexpand field_a 
| append 
    [| makeresults 
    | eval sourcetype="B",field_b="1,2,3",field_b2="b2",field_b3="b3", field_b4="b4" 
    | eval field_b=split(field_b,",") 
    | mvexpand field_b] 
| eval comment="Above search is for data generation. Use from below search"
| search (sourcetype=A OR sourcetype=B) (field_a=* OR field_b=*)
| eval requestid=if(isnotnull(field_a),field_a,field_b) 
| stats latest(field_a) as field_a latest(field_b) as field_b latest(field_a3) as field_a3, latest(field_a4) as field_a4,latest(field_b4) as field_b4 by requestid 
| where field_a = field_b

Thanks

0 Karma
Reply

HiroshiSatoh
Champion
‎05-28-2018 04:44 AM

Try this!

(sourcetype=sourcetype A OR  sourcetype=sourcetype B)
|eval key=if(sourcetype=sourcetype A, field_a, field_b)
|stats earliest(*) as * by key
|table field_a,field_b,field_a3 ,field_a4 ,filed_b4
0 Karma
Reply
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...