topic How to associate a value generated by a host with a field/event outside of the source? in Getting Data In https://community.splunk.com/t5/Getting-Data-In/How-to-associate-a-value-generated-by-a-host-with-a-field-event/m-p/152682#M31079 <P>This is an overview of how my system produces a certain value:</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/526i22A2D7604FC73FBF/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>Usually each area has a set of hosts, but there are also a few hosts that do not. In this case, one host that is not part of an area is generating a value that I need to associate with an area.</P> <P>The name of the area can be found in the name of the source generated by the host such as <CODE>source=/log/areaName/rest_of_path</CODE>. Would it be possible to create an association using just SPL or must the flow be top down like <CODE>area -- host -- value</CODE>? How should I structure my search logic?</P> <P>The purpose of this is to be able to list the Value by Area so that each Area will have one Value.</P> Mon, 03 Aug 2015 12:01:39 GMT ohlafl 2015-08-03T12:01:39Z How to associate a value generated by a host with a field/event outside of the source? https://community.splunk.com/t5/Getting-Data-In/How-to-associate-a-value-generated-by-a-host-with-a-field-event/m-p/152682#M31079 <P>This is an overview of how my system produces a certain value:</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/526i22A2D7604FC73FBF/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>Usually each area has a set of hosts, but there are also a few hosts that do not. In this case, one host that is not part of an area is generating a value that I need to associate with an area.</P> <P>The name of the area can be found in the name of the source generated by the host such as <CODE>source=/log/areaName/rest_of_path</CODE>. Would it be possible to create an association using just SPL or must the flow be top down like <CODE>area -- host -- value</CODE>? How should I structure my search logic?</P> <P>The purpose of this is to be able to list the Value by Area so that each Area will have one Value.</P> Mon, 03 Aug 2015 12:01:39 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-associate-a-value-generated-by-a-host-with-a-field-event/m-p/152682#M31079 ohlafl 2015-08-03T12:01:39Z Re: How to associate a value generated by a host with a field/event outside of the source? https://community.splunk.com/t5/Getting-Data-In/How-to-associate-a-value-generated-by-a-host-with-a-field-event/m-p/152683#M31080 <P>If I understand you correctly, you need the<CODE>coalesce</CODE> command and can use it like this:</P> <PRE><CODE>... | rex field=source "/[^/]+/(?&lt;areaName&gt;)[^/]+/" | eval areaName=coalesce(areaName, host) | stats values(Value) by areaName </CODE></PRE> <P>Or, since every event will have a source so the <CODE>rex</CODE> command will have false positives for the "null" case above, maybe you need the <CODE>if</CODE> command like this:</P> <PRE><CODE>... | rex field=source "/[^/]+/(?&lt;areaName&gt;)[^/]+/" | eval areaName=if(myTestHere(areaName), areaName, host) | stats values(Value) by areaName </CODE></PRE> Mon, 03 Aug 2015 12:18:39 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-associate-a-value-generated-by-a-host-with-a-field-event/m-p/152683#M31080 woodcock 2015-08-03T12:18:39Z Re: How to associate a value generated by a host with a field/event outside of the source? https://community.splunk.com/t5/Getting-Data-In/How-to-associate-a-value-generated-by-a-host-with-a-field-event/m-p/152684#M31081 <P>This would seem about right, yes, I do however get an error with the rex:</P> <PRE><CODE>Error in 'rex' command: Encountered the following error while compiling the regex '/[^/]+/(?&lt;areaName)[^/]+/': Regex: syntax error in subpattern name (missing terminator) </CODE></PRE> <P>I am not very familiar with regex, excuse my noobishness.</P> Mon, 03 Aug 2015 13:52:47 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-associate-a-value-generated-by-a-host-with-a-field-event/m-p/152684#M31081 ohlafl 2015-08-03T13:52:47Z Re: How to associate a value generated by a host with a field/event outside of the source? https://community.splunk.com/t5/Getting-Data-In/How-to-associate-a-value-generated-by-a-host-with-a-field-event/m-p/152685#M31082 <P>Sorry, I had a typo in my RegEx but I fixed it. Try it again.</P> Mon, 03 Aug 2015 14:01:48 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-associate-a-value-generated-by-a-host-with-a-field-event/m-p/152685#M31082 woodcock 2015-08-03T14:01:48Z