![]() So I'm a bit lost on where to go from here. At best I was able to have 2 different columns with every possible value for each field name - Login_ID and login_name. ![]() sourcetypemaster : id(pk)filenamestatus 123test1.txtS 124test2.txt. Please let us how can we display the result in search query using table format. (index=test1 sourcetype="1") OR (index=test2 sourcetype="2") earliest=-60m | stats value(1) stats value(2), etc.īut no dice yet. Hi All, We have 2 different sourcetype master and child need to join/append the source type on identity column master.id and child.mastertableid. I have 4 different indexes and sourcetypes with unique pid in all sources but all these sources are inter-related. I will give example that will give no confusion. I am getting output but not giving accurate results. I've been reading up on the Join command, but no dice so far. i want to create a funnel report in Splunk I need to join different data sources. Either using common fields (as shown above) or some other way. Splunk, Splunk>, Turn Data Into Doing, Data-to-Everything, and. ![]() Join 2 sourcetype on on field if time difference between 2 records is less than 3 seconds anujshah. But I wan to join records if and only if time difference if less than 3. fields source, sourcetype, host, error See also fields command fields. My hope is to take the join these sourcetypes together when searching. Sourcetype 1 : ITCM (trace log files) and for a given Locomotive number, go and find the events from Second source type and retrieve some info (example district name) and append to the column of the first. So I have 2 different source types which I can join using DEVICE field. One way Splunk can combine multiple searches at one time is with the append. ![]() Each with there own distinct fields and values. run on a different server from the Splunk Deployment Practical Lab Datasheet. Hopefully, as time goes on, I can answer even more. Com The Splunk Enterprise Certified Admin exam is a certification program. tcpout autoLB true defaultGroup XYZIndexer Define the target servers where the Forwarder should send the data to tcpout : XYZIndexer server splunk01.abc:9997, splunk02. The idea is just pile them all together, create a new ID that is the same field name for all, then let stats "group" then by that new id field.Seems like I ask a lot of questions here. Step 1: cat nf Define the server group which should be used as default for TCP forwarding. You could replace it with values(field1) as newnameforField1, values(field2) as. One way Splunk can combine multiple searches at one time is with the append. For your particular situation, I dont think join is necessary. This is because join is expensive and clunky, although it can achieve the desired results. ` is really just shortcut to "doing all the fields". set diff search indexidx2 sourcetypesrc dedup A search indexidx1. The rule of thumb in Splunk is: 'When possible, avoid the use of join unless its absolutely necessary'. You can use, like I did, an eval/case statement to collapse all possible field names that are your ID into one field you can stats on.Īnd the `stats values(*) as * by. | eval master_id = case(sourcetype=a, ID, sourcetype=b, PID, sourcetype=c, id) ) (sourcetype=a AND index=foo) OR (sourcetype=b AND index=bar) OR (sourcetype=c) index'other-index' sourcetype'other-index-sourcetype' earliest-14d I would like to end up with the following values: IP address, other-index. Search 1: index'internal' source'metrics.log' perindexthruput seriesautoshell hostlelsplunkix eval GBkb/ (10241024) timechart span12h sum (GB) as GB by series Results: (example - 500k+ rows returned) time raw sourcetype GB 07:04:33.307 ABC ship 0.0000264551490559 07:04:31.168 LMN rum 0. If PID is equal to ID (I hope it is, or else you either didn't give us enough information to solve the problem, or the problem is unsolveable because they're not actually related records.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |