First … don’t dedup on _raw
The _raw events are never duplicated (unless you’ve done something wrong on ingest)
Second, to your actual question – try something along the lines of this:
index="myIndex" "started with profile" BD_L*
| eval Platform=case(match(_raw,"LINUX"),"LINUX",match(_raw,"AIX"),"AIX",match(_raw,"DB2"),"DB2", match(_raw,"SQL"),"SQL", match(_raw,"WEBSPHERE"),"WEBSPHERE", match(_raw,"SYBASE"),"SYBASE", match(_raw,"WINDOWS"),"WINDOWS", true(),"ZLINUX")
| stats count by Platform RUNID
| join type=left RUNID
[ search index="myIndex" source="/*/RUNID/*" CASE("ERROR") CTJT*
| stats count by RUNID
]
| stats count by Platform
If you can provide some sample data from your two indices, we can get you much closer to a good solution – but this should move you towards an answer
There’s likely a way to not use join in this search – but we need sample data to verify that 🙂
from User warren – Stack Overflow https://stackoverflow.com/questions/69707314/splunk-return-one-or-true-from-a-search-use-that-result-in-another-search/69712393#69712393
via IFTTT