Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

search two indexes specifying two matching columns

the_dude
Engager
‎11-14-2023 10:57 AM

I am trying to generate three reports with stats. The first is where jedi and sith have matching columns. The third is where jedi and sith do not match. Example:

index=jedi
| table saber_color, Jname, strengths

index-=sith
| table saber_color, Sname, strengths

I need to list where Jname=Sname

The third one is

where the Jname!=Sname 

The caveat is I cannot use the join for this query.

Any good ideas?

 

 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎11-14-2023 05:46 PM

Do you mean where Jname and Sname are the same AND the saber_colour + strengths are the same or something else?

This will find you all the cases where the same name has the same combination of saber_color and strengths

index=jedi OR index=sith
| eval name=coalesce(Jname, Sname)
| stats values(name) as names by saber_color strengths
| where mvcount(names)=1

and to find where Jname!=SName, change the mvcount to equal 2.

Good caveat not using join - you should always avoid join and it's almost never the right solution! 

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎11-14-2023 05:46 PM

Do you mean where Jname and Sname are the same AND the saber_colour + strengths are the same or something else?

This will find you all the cases where the same name has the same combination of saber_color and strengths

index=jedi OR index=sith
| eval name=coalesce(Jname, Sname)
| stats values(name) as names by saber_color strengths
| where mvcount(names)=1

and to find where Jname!=SName, change the mvcount to equal 2.

Good caveat not using join - you should always avoid join and it's almost never the right solution! 

0 Karma
Reply
Solved! Jump to solution

the_dude
Engager
‎11-18-2023 07:45 AM

@bowesmanait worked now I have to figure out how to utilize my drill down to isolate the columns and index heading with my query. Either way thank you.

0 Karma
Reply
Solved! Jump to solution

the_dude
Engager
‎11-14-2023 07:45 PM

Just the Jname and Sname need to match and all the other columns will coalesce. 
Because of the sheer size of the Sname (I set it up as our windows log index)index it worries me. However if I can find a way to drill down and expedite.

index IN (jedi AND sith)
| table saber_color, Jname, Sname, strengths, saber_color
| where Jname=Sname

That is what I am trying. I'll give it a shot with your method. @bowesmana 

0 Karma
Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎11-14-2023 07:49 PM

Your example will not work as I understand Jname comes from index=jedi and Sname comes from index=sith, so unless you aggregate the events together, Jname and Sname will never exist in the same event, so try my example.

0 Karma
Reply
Solved! Jump to solution

the_dude
Engager
‎11-15-2023 06:06 AM

@bowesmanawill give it a try. Thank you.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...