https://community.splunk.com/t5/Splunk-Search/combine-different-fileds-from-different-events/m-p/306038#M164739 <P>Hello again,</P> <P>Option 1 is better, it was my fault, I missed type a field..oups <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span></P> <P>Thank you again DalJeanis <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span><BR /> Have a great day</P> Wed, 29 Nov 2017 14:00:17 GMT mvagionakis 2017-11-29T14:00:17Z https://community.splunk.com/t5/Splunk-Search/combine-different-fileds-from-different-events/m-p/306030#M164731 <P>Hello,</P> <P>I'm trying to combine values from two events and to make a table with them.<BR /> Let me explain you.<BR /> I have the same index, the same source and the same sourcetype but some fields are named differently.</P> <P>Below an example:</P> <P>event1:<BR /> SNMPv2-SMI::enterprises."5560.300.9002.1.3.111.112.113.114.0" = "state" <BR /> somestate = state<BR /><BR /> remote_gateway_st = 111.112.113.114<BR /> host = titi<BR /><BR /> index = someindex<BR /><BR /> linecount = 1<BR /><BR /> punct = -::."........."<EM>=</EM>""_<BR /><BR /> source = snmp://test <BR /> sourcetype = sourcetype_toto <BR /> splunk_server = host1<BR /><BR /> splunk_server_group = dmc_group_indexer<BR /><BR /> timestamp = none </P> <P>event2:<BR /> SNMPv2-SMI::enterprises."5560.300.9002.1.2.217.167.157.241.0" = "a_client" </P> <P>ClientName = a_client<BR /><BR /> remote_gateway = 111.112.113.114 <BR /> host = titi<BR /><BR /> index = someindex<BR /><BR /> linecount = 1<BR /><BR /> punct = -::."........."<EM>=</EM>""_<BR /><BR /> source = snmp://test <BR /> sourcetype = sourcetype_toto <BR /> splunk_server = host1<BR /><BR /> splunk_server_group = dmc_group_indexer<BR /><BR /> timestamp = none </P> <P>My goal is to combine them when <STRONG>remote_gateway_st=remote_gateway</STRONG> and to put in a table the fields <STRONG>remote_gateway_st ,ClientName,somestate</STRONG>.</P> <P>I tried <STRONG>join</STRONG> function but I couldn't make it work.</P> <P>Could you give me some help please? </P> <P>Thank you in advance,<BR /> Michail</P> Tue, 29 Sep 2020 16:58:12 GMT https://community.splunk.com/t5/Splunk-Search/combine-different-fileds-from-different-events/m-p/306030#M164731 mvagionakis 2020-09-29T16:58:12Z https://community.splunk.com/t5/Splunk-Search/combine-different-fileds-from-different-events/m-p/306031#M164732 <P>There are lots of ways.</P> <P>Method 1 - Splunk Stew (This method is generally preferred)</P> <PRE><CODE>index=someindex host="titi" source="snmp://test" sourcetype="sourcetype_toto" ( ClientName="a_client" OR somestate="state") | fields index host source sourcetype remote_gateway* somestate ClientName | eval remote_gateway_merged=coalesce(remote_gateway,remote_gateway_st) | stats values(*) as * by remote_gateway_merged </CODE></PRE> <P>Method 2 - Join </P> <PRE><CODE>index=someindex host="titi" source="snmp://test" sourcetype="sourcetype_toto" ClientName="a_client" | fields index host source sourcetype remote_gateway somestate ClientName | join remote_gateway [search index=someindex host="titi" source="snmp://test" sourcetype="sourcetype_toto" somestate="state" | fields remote_gateway_st somestate | rename remote_gateway_st as remote_gateway | table remote_gateway somestate ] </CODE></PRE> Tue, 28 Nov 2017 17:10:59 GMT https://community.splunk.com/t5/Splunk-Search/combine-different-fileds-from-different-events/m-p/306031#M164732 DalJeanis 2017-11-28T17:10:59Z https://community.splunk.com/t5/Splunk-Search/combine-different-fileds-from-different-events/m-p/306032#M164733 <P>HI </P> <P>Can you please try this?</P> <PRE><CODE>index=someindex | eval remote_gateway_st=coalesce(remote_gateway,remote_gateway_st) | stats values(ClientName) as ClientName values(somestate) as somestate by remote_gateway_st </CODE></PRE> <P>I have tried with your provided data:</P> <PRE><CODE>| makeresults | eval _raw="SNMPv2-SMI::enterprises. \"5560.300.9002.1.3.111.112.113.114.0 \" = \"state \" \n somestate = state \n remote_gateway_st = 111.112.113.114 \n host = titi \n index = someindex \n linecount = 1 \n punct = -::. \"......... \"= \" \"_ \n source = snmp://test \n sourcetype = sourcetype_toto \n splunk_server = host1 \n splunk_server_group = dmc_group_indexer \n timestamp = none" | kv | append [| makeresults | eval _raw="SNMPv2-SMI::enterprises. \"5560.300.9002.1.2.217.167.157.241.0 \" = \"a_client \" \n \n ClientName = a_client \n remote_gateway = 111.112.113.114 \n host = titi \n index = someindex \n linecount = 1 \n punct = -::. \"......... \"= \" \"_ \n source = snmp://test \n sourcetype = sourcetype_toto \n splunk_server = host1 \n splunk_server_group = dmc_group_indexer \n timestamp = none" | kv] | eval remote_gateway_st=coalesce(remote_gateway,remote_gateway_st) | stats values(ClientName) as ClientName values(somestate) as somestate by remote_gateway_st </CODE></PRE> <P>Happy Splunking</P> Tue, 28 Nov 2017 17:11:52 GMT https://community.splunk.com/t5/Splunk-Search/combine-different-fileds-from-different-events/m-p/306032#M164733 kamlesh_vaghela 2017-11-28T17:11:52Z https://community.splunk.com/t5/Splunk-Search/combine-different-fileds-from-different-events/m-p/306033#M164734 <P>I would go for option 1. Joins are expensive, so unless you have multiple events per emote_gateway values, you can use option 1.</P> Tue, 28 Nov 2017 19:19:47 GMT https://community.splunk.com/t5/Splunk-Search/combine-different-fileds-from-different-events/m-p/306033#M164734 somesoni2 2017-11-28T19:19:47Z https://community.splunk.com/t5/Splunk-Search/combine-different-fileds-from-different-events/m-p/306034#M164735 <P>@kamlesh_vaghela - Good job. One improvement..</P> <P>This... </P> <PRE><CODE>| eval remote_gateway_st=if(isnotnull(remote_gateway),remote_gateway,remote_gateway_st) </CODE></PRE> <P>...can be written as this ... </P> <PRE><CODE>| eval remote_gateway_st=coalesce(remote_gateway,remote_gateway_st) </CODE></PRE> <P>...which makes the code easier to read - especially if you have one more item to coalesce together.</P> Tue, 28 Nov 2017 20:37:45 GMT https://community.splunk.com/t5/Splunk-Search/combine-different-fileds-from-different-events/m-p/306034#M164735 DalJeanis 2017-11-28T20:37:45Z https://community.splunk.com/t5/Splunk-Search/combine-different-fileds-from-different-events/m-p/306035#M164736 <P>hi @DalKeanis, Yeah readability make sense. Thanks for improvement. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Wed, 29 Nov 2017 04:53:31 GMT https://community.splunk.com/t5/Splunk-Search/combine-different-fileds-from-different-events/m-p/306035#M164736 kamlesh_vaghela 2017-11-29T04:53:31Z https://community.splunk.com/t5/Splunk-Search/combine-different-fileds-from-different-events/m-p/306036#M164737 <P>Hello everyone,</P> <P>only the second method worked but partially.<BR /> By adding dedup command on "clientname" and by searching only the events that contains somestate AND clientname, I got the perfect result.</P> <P>Thank you very much for your help and reactivity <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>Have a good day<BR /> Michail</P> Wed, 29 Nov 2017 08:37:39 GMT https://community.splunk.com/t5/Splunk-Search/combine-different-fileds-from-different-events/m-p/306036#M164737 mvagionakis 2017-11-29T08:37:39Z https://community.splunk.com/t5/Splunk-Search/combine-different-fileds-from-different-events/m-p/306037#M164738 <P>hello Kamlesh, thanks for replying to my question.<BR /> update: it was my mistake as I said for DalJeanis reply...yours works also very well <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span><BR /> I thank you again for your time <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>Have a great day.<BR /> Michail</P> Wed, 29 Nov 2017 08:40:30 GMT https://community.splunk.com/t5/Splunk-Search/combine-different-fileds-from-different-events/m-p/306037#M164738 mvagionakis 2017-11-29T08:40:30Z https://community.splunk.com/t5/Splunk-Search/combine-different-fileds-from-different-events/m-p/306038#M164739 <P>Hello again,</P> <P>Option 1 is better, it was my fault, I missed type a field..oups <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span></P> <P>Thank you again DalJeanis <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span><BR /> Have a great day</P> Wed, 29 Nov 2017 14:00:17 GMT https://community.splunk.com/t5/Splunk-Search/combine-different-fileds-from-different-events/m-p/306038#M164739 mvagionakis 2017-11-29T14:00:17Z https://community.splunk.com/t5/Splunk-Search/combine-different-fileds-from-different-events/m-p/306039#M164740 <P>Ah, good. Glad to help.</P> Wed, 29 Nov 2017 23:27:42 GMT https://community.splunk.com/t5/Splunk-Search/combine-different-fileds-from-different-events/m-p/306039#M164740 DalJeanis 2017-11-29T23:27:42Z