Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to separate sets of information with same field values without using JOIN?

karthi2809
Builder
2 weeks ago

Hi All,

I have field called filename .SO i want to populate the result from the filename field and i created two joins to separate. Is there any other way without using Join

Success File and Failure File

 

| join CorrelationId type=left
[ | search index=mulesoft applicationName IN (TEST) AND message IN ("*File put Succesfully*" ,"*successful Call*" , "*file processed successfully*" , "*Archive file processed successfully*" , "*processed successfully for file name*")
| rename content.Filename as SuccessFileName correlationId as CorrelationId
| table CorrelationId SuccessFileName
| stats values(*) as * by CorrelationId]
| table CorrelationId InterfaceName ApplicationName FileList SuccessFileName Timestamp
| join CorrelationId type=left
[ | search index=mulesoft applicationName IN (p-oracle-fin-processor , p-oracle-fin-processor-2 , p-wd-finance-api) AND priority IN (ERROR,WARN)
| rename content.Filename as FailureFileName correlationId as CorrelationId timestamp as ErrorTimestamp content.ErrorType as ErrorType content.ErrorMsg as ErrorMsg
| table FailureFileName CorrelationId ErrorType ErrorMsg ErrorTimestamp

 

 

Labels (3)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
2 weeks ago

Hi @karthi2809,

to help you I need also the main search.

Anyway, you should:

  • create a main search putting in OR the three searches,
  • correlate them using the stats command By the common key and adding values(field_name) As field_name for each field that you want to display.

Ciao.

Giuseppe

0 Karma
Reply

karthi2809
Builder
2 weeks ago

Hi @gcusello 
Yes for that i used stats values of filed name .But i cant able to seperate the error and succes file

This is my new query :

index=mulesoft environment=* (applicationName IN ("Test"))  
| stats  values(content.FileList{})  as FileList values(content.FileName)  as Filename values(content.Filename) as filename1 min(timestamp) AS Logon_Time, max(timestamp) AS Logoff_Time BY correlationId applicationName   
| eval  Status=case(priority="ERROR","ERROR", priority="WARN","WARN", priority!="ERROR","SUCCESS")
| eval SuccessFileName=mvdedup(mvfilter(match(message, "%succesfully*")  OR match(message, "Summary of all Batch*") ) )|eval SuccessFileName= coalesce(Filename,filename1)
| eval FailureFileName=mvdedup(mvfilter(match(priority, "WARN")  OR match(priority, "ERROR") ) )|eval FailureFileName= coalesce(Filename,filename1)|table SuccessFileName FailureFileName

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
2 weeks ago

Hi @karthi2809,

after a stats command you have only the fields present in the stats command, so in your case you don't have priority and message fields that you would use in the evals after the stats.

Locate the eval before the stats and add the related fields to the stats.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...