https://community.splunk.com/t5/Splunk-Search/Join-two-events-and-publish-the-fields/m-p/545052#M154346 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/46084">@rbachu1</a>,</P><P>good for you, see next time!</P><P>Ciao and happy splunking.</P><P>Giuseppe</P><P>P.S.: Karma Points are appreciated <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Wed, 24 Mar 2021 07:08:55 GMT gcusello 2021-03-24T07:08:55Z https://community.splunk.com/t5/Splunk-Search/Join-two-events-and-publish-the-fields/m-p/544588#M154248 <P>Hi Everyone,&nbsp;</P><P>I have two events like below on the same index though. I captured all fields through rex command but unable to join and publish the desired output. Kindly Help. Thank you</P><P>index=abc&nbsp;</P><P class="p1"><SPAN class="s1">Event 1 : </SPAN></P><P class="p1"><SPAN class="s1">caseStatus in update case :: CaseStatusToUpdate [caseId=12345, caseStatus=Active, timeStamp=Fri Mar 19 18:49:39 UTC 2021]</SPAN></P><P class="p1"><SPAN class="s1">Event 2:</SPAN></P><P class="p2"><SPAN class="s1">caseDetails :: [caseID=12345, type=Credit]</SPAN></P><P class="p2"><SPAN class="s1">Output:</SPAN></P><P class="p2"><SPAN class="s1">caseID,&nbsp;caseStatus,&nbsp;type,&nbsp;timeStamp</SPAN></P> Sat, 20 Mar 2021 00:18:09 GMT https://community.splunk.com/t5/Splunk-Search/Join-two-events-and-publish-the-fields/m-p/544588#M154248 rbachu1 2021-03-20T00:18:09Z https://community.splunk.com/t5/Splunk-Search/Join-two-events-and-publish-the-fields/m-p/544600#M154251 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/46084">@rbachu1</a>,</P><P>the fields ara automatically extracted by Splunk because they are in the format field_name=field_value, but they have a different name, so to group them you have to rename one of them, then you can use the stats command to group them, something like this:</P><LI-CODE lang="markup">index=your_index | rename caseId AS caseID | stats values(caseStatus) AS caseStatus status(type) AS type values(timeStamp) AS timeStamp BY caseID</LI-CODE><P>Ciao.</P><P>Giuseppe</P> Sat, 20 Mar 2021 07:29:36 GMT https://community.splunk.com/t5/Splunk-Search/Join-two-events-and-publish-the-fields/m-p/544600#M154251 gcusello 2021-03-20T07:29:36Z https://community.splunk.com/t5/Splunk-Search/Join-two-events-and-publish-the-fields/m-p/544656#M154257 <P>Thank you for the reply. However, I am not using splunk&nbsp; field extractor for extracting fields, I am using rex command, I have captured caseID from both the events using rex commands. but I am stuck in joining them and publish the case status as per&nbsp; caseID.&nbsp;</P><P>&nbsp;</P> Sun, 21 Mar 2021 01:45:38 GMT https://community.splunk.com/t5/Splunk-Search/Join-two-events-and-publish-the-fields/m-p/544656#M154257 rbachu1 2021-03-21T01:45:38Z https://community.splunk.com/t5/Splunk-Search/Join-two-events-and-publish-the-fields/m-p/544671#M154258 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/46084">@rbachu1</a>,</P><P>if you use two regexes to extract fields is easier because you have only to use the same fieldname in both field extraction, in few words: to group events you need the same fieldname.</P><P>Then the approach with stats is the correct one, did you tried it?</P><P>Ciao.</P><P>Giuseppe</P> Sun, 21 Mar 2021 07:04:34 GMT https://community.splunk.com/t5/Splunk-Search/Join-two-events-and-publish-the-fields/m-p/544671#M154258 gcusello 2021-03-21T07:04:34Z https://community.splunk.com/t5/Splunk-Search/Join-two-events-and-publish-the-fields/m-p/545023#M154339 <P>Thank you, that helped. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Wed, 24 Mar 2021 01:21:18 GMT https://community.splunk.com/t5/Splunk-Search/Join-two-events-and-publish-the-fields/m-p/545023#M154339 rbachu1 2021-03-24T01:21:18Z https://community.splunk.com/t5/Splunk-Search/Join-two-events-and-publish-the-fields/m-p/545052#M154346 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/46084">@rbachu1</a>,</P><P>good for you, see next time!</P><P>Ciao and happy splunking.</P><P>Giuseppe</P><P>P.S.: Karma Points are appreciated <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Wed, 24 Mar 2021 07:08:55 GMT https://community.splunk.com/t5/Splunk-Search/Join-two-events-and-publish-the-fields/m-p/545052#M154346 gcusello 2021-03-24T07:08:55Z