topic How to make table from two queries with common field in Splunk Search

How to make table from two queries with common field

edrivera3 — Wed, 05 Aug 2020 15:20:51 GMT

I have one index with two sources (source=source1 and source2). Both events have two common fields (common_field1 and common_field2).

The events with source_1 have three fields (source1_field1, common_field1, common_field2).

The events with source_2 have three fields (source2_field1, common_field1, common_field2).

I tried the following without success:

(source=source1 OR source=source2) | table common_field1, common_field2, source1_field1, source2_field1

There are more events in source1 than in source2. The table should have one row per source1 event. Source2's events will be used based on the common fields. There will be many instances where the same source2 event is used.

Re: How to make table from two queries with common field

isoutamo — Wed, 05 Aug 2020 15:43:28 GMT

could you try the next:

index=<your index> (source=source1 OR source=source2) | stats values(source*) as source* by common_field1 common_field2 | table common_field1, common_field2, source1_field1, source2_field1

r. Ismo

Re: How to make table from two queries with common field

edrivera3 — Wed, 05 Aug 2020 16:35:48 GMT

@isoutamoIt didn't work. It produced a table with only the common fields. The other two fields were empty.

Re: How to make table from two queries with common field

isoutamo — Wed, 05 Aug 2020 19:57:18 GMT

can you give some sample data as this is working.

index=_internal source IN (*metrics.log,*splunkd.log) app_name="cloudgateway_metrics.app" OR component=Metrics | stats values(app_name) as app_name values(component) as component by host index | table host index app_name component

r. Ismo

Re: How to make table from two queries with common field

edrivera3 — Mon, 10 Aug 2020 16:43:22 GMT

I ended up re-indexing those events but with with the additional fields included. It was not that bad because those events were from a mysql db connection. I did tried the Join command but it was very slow for the amount of data I was pulling.