topic Can we Regex while using "OR" in Splunk Dev

Can we Regex while using "OR"

vikasreddy — Sun, 19 Feb 2017 01:42:14 GMT

I have two indexers where i have to compare one field among them.I don't want to use join,Instead of that i used OR condition But the thing is from one of the index I have to extract a field using rex during search time .How can I do that.
index A
Sample Field (this field already present in the index )

index B
I have to extract the field

Here is the sample Query
(index=A sourcetype=xyz) OR (index=B sourcetype=ABC )
| rex "doc_name:\"(?[^+]+)"

when I am doing this it is considering only one index data i.e only from B index it is taking data. How can I over come this?

Re: Can we Regex while using "OR"

ddrillic — Sun, 19 Feb 2017 03:21:23 GMT

Right, you are on the right track as the simulation of JOIN can be done via OR and then stats.

The following explains it nicely by @sideview - simulating a SQL JOIN in Splunk

It says

-- But here's how to do it just with search and stats. One big OR clause in search mashes the two data sets together and then we do a little bit of stats command to merge it all into what we want.

The code example is - source=costtable OR source=usertable | stats first(username) as name sum(cost) as total by userid | sort - total | fields username total

Re: Can we Regex while using "OR"

vikasreddy — Sun, 19 Feb 2017 05:36:19 GMT

But My Question is how can I do that?

Re: Can we Regex while using "OR"

ddrillic — Sun, 19 Feb 2017 20:51:39 GMT

Probably you need to do the following -

1) OR the two indexes
2) extract the field from index B, and producing a field with same name as the field from A
3) stats on this field, per example above

Re: Can we Regex while using "OR"

vikasreddy — Mon, 20 Feb 2017 04:06:52 GMT

I am not able to go forward , Here is my detail explanation

I have a Index A from which i have to take a field name Say "Sample". In index B I have to extract a field using rex with same name "Sample". the thing is when we using OR it is extracting the field sample from one index only i.e index B . how to get field and values from both the index?

detail query

(index= A sourcetype=xyz) OR (index=B sourcetype=cdf )
|rex"^)?P[^,]*)

i have written the query in this type when i ran it's show data from ony index B .how can i get data from both the index ?

Re: Can we Regex while using "OR"

DalJeanis — Mon, 20 Feb 2017 21:19:37 GMT

Let's assume that there is a field name "sample" on index A, and no such field on B. However, in the _raw on B there is a section that the value of sample can be pulled from, and no such section on index A. Let's also assume that there is a value statA on A and a value statB on B that you need to get the total of.

(index=A sourcetype=xyz) OR (index=B sourcetype=ABC )
| rex "doc_name:\"(?<sampleB>[^+]+)"
| eval sample =coalesce(sample,sampleB)
| stats sum(statA) as StatA sum(statB) as statB by sample