Splunk Tips and Tricks | How to Join Two Sourcetypes Together
ฝัง
- เผยแพร่เมื่อ 28 พ.ย. 2024
- It is often helpful to be able to combine the results of two sourcetypes into one log. This tutorial will show the proper way to perform this task. It should not be done with a Join statement. The stats command is the splunk best practice tool and this tutorial will show how to use stats to do this joining of data.
Join this channel to get access to perks:
/ @lamecreations_guides
I'm happy you shared this I was eager to go try join and collect at work.
Let me know if you have any questions. Glad it was a help. Love that stats commanf
Any good place to find commands you are using? explanation or examples.
Which particular Commands would you like help with?
For a lot of splunk command tutorials, this is a good play list
th-cam.com/play/PLFF93FRoUwXGPIh4E5mBvbVxrpjGRUqIO.html&si=nfnefsj86JHATdX6
Doesn't the stats command also have a limit of 50,000 by default?
I am not aware of any limit on stats. It definitely is not 50,000.
Have you ever done a token lookup using two different indexes? If so can you point me to what video that was?
actually i have. Let me see if I can find the link.
th-cam.com/video/dNTaw2VmpJ4/w-d-xo.html
This should more or less get you to what you want. A conditional token that runs different queries based off the result.
@@lamecreations_guides awesome thanks!!