topic Re: How to consider values of a field from the events of type1 when does not exist in type2? in Splunk Search

How to consider values of a field from the events of type1 when does not exist in type2?

bollam — Wed, 05 Dec 2018 10:12:30 GMT

Hello,

I have got two type of events, typeA and typeB, In both the fields I'm interested in only a single field "Success".
Either if the field Success does not exist or it's value is "" in typeA then it should consider the value of Success from the typeB.
How do I do this?

Re: How to consider values of a field from the events of type1 when does not exist in type2?

bollam — Wed, 05 Dec 2018 10:24:19 GMT

Update:

both types will have a common id. If typeA does not contain the "Success" with id "123", It should consider the value of "Success" from typeB which as same id "123"

Re: How to consider values of a field from the events of type1 when does not exist in type2?

tom_frotscher — Tue, 29 Sep 2020 22:18:01 GMT

Hi,

the Answer depends on how exactly your events look like. But in general you can do something with stats to get both fields in one event:

your search | | stats list(Success) as l_success by id | eval Success=mvindex(l_success,0)

I think to finally answer this question, we need more information about your events.

Greetings

Tom

Re: How to consider values of a field from the events of type1 when does not exist in type2?

bollam — Tue, 29 Sep 2020 22:18:15 GMT

@tom_frotscher, Please find the events and a bit more description on the requirement.

I have got events with two different types, Type=First and type=Second

I would like to get the consolidated(with unique tags) from both the types based on the following conditions.

If both types have a values of tag then on priority it should consider value of tag from the type=First and ignore the tag value from type=Second even if it has value or not.
ii) If tag has no value i.e., "" in type=First and tag of type=Second has tha value then it consider the value from type=Second for the same id of type=First.
iii) if both the types has no value in tag. we can ignore this.

Note: the values of id_first and id_second has same values but the naming convention is different.

time=1544071583425 type="First" version="2.0.5" status="OK" id_first="210468" user="abc" tag="some"
time=1544071583425 type="First" version="2.0.5" status="OK" id_first="210469" user="xyz" tag=""
time=1544071583424 type="First" version="2.0.5" status="OK" id_first="210470" user="wow" tag=""
time=1544071583424 type="First" version="2.0.5" status="OK" id_first="210483" user="rez"
time=1544071583424 type="First" version="2.0.5" status="OK" id_first="210487" user="yov" tag="wrong"
time=1544071583424 type="First" version="2.0.5" status="OK" id_first="210491" user="boh" tag=""

time=1544071583425 type="Second" version="2.0.5" status="OK" id_second="210468" user="abc" tag="some"
time=1544071583425 type="Second" version="2.0.5" status="OK" id_second="210469" user="xyz" tag="where"
time=1544071583424 type="Second" version="2.0.5" status="OK" id_second="210470" user="wow" tag="fishy
time=1544071583424 type="Second" version="2.0.5" status="OK" id_second="210483" user="rez"
time=1544071583424 type="Second" version="2.0.5" status="OK" id_second="210487" user="yov" tag="wrong"
time=1544071583424 type="Second" version="2.0.5" status="OK" id_second="210491" user="boh" tag="great"

output:

tag id
some 210469
where 210469
fishy 210470
wrong 210483
great 210487