topic Re: How to join fields that have different values in Splunk Search

How to join fields that have different values

gravi — Thu, 14 Nov 2019 18:21:00 GMT

I need to join two searches that do not have a common fields.

First search has a field FileName=Test.json
Second search has field FileName=Test.json.pgp

How do I join the two searches?

Thanks

Re: How to join fields that have different values

yannK — Thu, 14 Nov 2019 19:04:08 GMT

what about an OR condition ?

  FileName=Test.json OR FileName=Test.json.pgp

Or if you have 2 searches and try to JOIN them, normalize the fields name or content, then use a join

 search1withoutpgp | eval FileName=FileName.".pgp" | join FileName [ search search2withpgp  |  table myotherfield FileName]

Re: How to join fields that have different values

edgarsilva01 — Thu, 14 Nov 2019 21:50:07 GMT

Hi Gravi

Once I had a similar scenario, the first thing that worked for me was evaluated that both fields had the same type of data is "Strings"
After validating that, perform the inner join command to make the cross and compare the data.

Regards

Re: How to join fields that have different values

woodcock — Fri, 15 Nov 2019 00:24:26 GMT

Like this:

(index="indexA" AND sourcetype="sourcetypeA" AND FileName=Test.json)
(index="indexB" AND sourcetype="sourcetypeB" AND FileName=Test.json.pgp)
| rex field=FileName mode=sed "s/\.pgp$//"
| stats values(*) AS * BY FileName

Re: How to join fields that have different values

gcusello — Fri, 15 Nov 2019 08:00:43 GMT

HJi @gravi,
if there's a rule in the values of filename in the second search (e.g. take all but extension), you could use regex to extract them, something like this:

index=index_A
| join FileName [ search index=index_B | rex field=FileName "(?<FileName>.*)\.\w+$" ]
| ...

Ciao.
Giuseppe