3

I am a new to using Splunk and wanted to get some help in combining two search results and organizing it so that it displays matching information from the two searches.

So what I am doing a search for is something like the following. (I had to edit some of the info for security)

index=INDEX sourcetype=SOURCETYPE authresult (UNIQUEID)

This will provide me with several events with the necessary fields for what I am searching, but I need to compare the field UNIQUEHASH from this search with the same field of another similar search with a different UNIQUEID. I only want to get the information from UNIQUEHASH if both searches include the same value and how many times they are returned.

So if I do a search for UNIQUEID1 and get the following number of events with the following UNIQUEHASH values.

UNIQUEHASH  Times
123         10
456         20
789         30

I would like to do the same search for UNIQUEID2 which provides the following UNIQUEHASH values.

UNIQUEHASH  Times
123         20
789         400

With these two searches I would like to combine them in a simple table with the UNIQUEHASH and how many times each UNIQUEID returned that amount. So in this example the UNIQUEHASH w/ a value of 456 isn't included because UNIQUEID2 doesn't return any.

UNIQUEHASH  UNIQUEID1   UNIQUEID2
123         10          20
789         30          400
7H3LaughingMan
  • 372
  • 1
  • 15

1 Answers1

0

What you're describing can be done either with join (the more "obvious" path), or stats:

join:
index=ndx1 sourcetype=srctp1 authresult=* uniquehash=* times=* uniqueid="1"
| stats count by uniquehash times
| fields - count
| rename times as unique1
| join uniquehash
    [| search index=ndx1 sourcetype=srctp1 authresult=* uniquehash=* times=* uniqueid="2"
    | stats count by uniquehash times 
    | fields - count
    | rename times as unique2 ]

Note, using join is generally not suggested - the innermost search will be capped at 60s run time or 50k rows returned (so run the fastest/shortest search innermost)

Additionally, this will get very cumbersome if you need to do more than a couple "uniqueid" comparisons

stats:
index=ndx sourcetype=srctp uniquehash=* times=* uniqueid=*
| eval idkt=uniqueid+","+times
| stats values(idkt) as idkt by uniquehash
| where mvcount(idkt)>1
| mvexpand idkt
| rex field=idkt "(?<uniqueid>\S+)\s(?<times>.+)"
| table uniquehash uniqueid times
warren
  • 32,620
  • 21
  • 85
  • 124