https://community.splunk.com/t5/Splunk-Search/How-to-combine-data-from-2-source-types/m-p/241731#M188926 <P>Are the locomotive #'s stored as two separate fields (one for each sourcetype?) or are they stored under the same name?</P> <P>If they're different..</P> <PRE><CODE>sourcetype=src1 OR sourcetype=src2 | where locomotive1=locomotive2 | table locomotive1, col2, col3, districtname </CODE></PRE> <P>If they're the same..</P> <PRE><CODE>sourcetype=src1 OR sourcetype=src2 | transaction locomotive | table locomotive, col2, col3, districtname </CODE></PRE> Fri, 22 Jan 2016 18:27:54 GMT jluo_splunk 2016-01-22T18:27:54Z https://community.splunk.com/t5/Splunk-Search/How-to-combine-data-from-2-source-types/m-p/241730#M188925 <P>All,</P> <P>I have 2 source types , one being XML and other being a trace log file events. I have a requirement to combine values from both. Sourcetype 1 : ITCM (trace log files) and for a given Locomotive number, go and find the events from Second source type and retrieve some info (example district name) and append to the column of the first . Basically I am displaying a table to show all the necessary fields from the first source type and just append a column with values from the second source type (based on the matching condition - locomotive number).</P> <P>I was able to combine both the source types but hadn't been successful in appending the column values from the second source, basically I tried eval (if condition match), append cols etc.</P> <P>Issues with eval(if condition match) - I can see the eval condition matches only for the events coming from second source type and doesn't equate to the events on first source type and output as below</P> <P>Row #1 displays values from sourcetype1 col1(value=locomotive number), col2value, col3value,col4 =blank (districtname) <BR /> Row #2 displays values from sourcetype2 (col1value=locomotive number), blank (col2value), blank (col3value),districtname (col4value)</P> <P>Bascially I wanted to get a result that shows one row for each event as below <BR /> col1(value=locomotive number), col2value, col3value, ,districtname</P> <P>Thoughts/Suggestions please</P> <P>Thanks<BR /> Mathan J</P> Fri, 22 Jan 2016 16:06:46 GMT https://community.splunk.com/t5/Splunk-Search/How-to-combine-data-from-2-source-types/m-p/241730#M188925 Mathanjey 2016-01-22T16:06:46Z https://community.splunk.com/t5/Splunk-Search/How-to-combine-data-from-2-source-types/m-p/241731#M188926 <P>Are the locomotive #'s stored as two separate fields (one for each sourcetype?) or are they stored under the same name?</P> <P>If they're different..</P> <PRE><CODE>sourcetype=src1 OR sourcetype=src2 | where locomotive1=locomotive2 | table locomotive1, col2, col3, districtname </CODE></PRE> <P>If they're the same..</P> <PRE><CODE>sourcetype=src1 OR sourcetype=src2 | transaction locomotive | table locomotive, col2, col3, districtname </CODE></PRE> Fri, 22 Jan 2016 18:27:54 GMT https://community.splunk.com/t5/Splunk-Search/How-to-combine-data-from-2-source-types/m-p/241731#M188926 jluo_splunk 2016-01-22T18:27:54Z https://community.splunk.com/t5/Splunk-Search/How-to-combine-data-from-2-source-types/m-p/241732#M188927 <P>This is the general framework to achieve that</P> <PRE><CODE>(Your base search 1 e.g. index=A sourcetypeA) OR (Your base search 2 e.g. index=B sourcetypeB) | stats values(Field1) as Field1 values(Field2) as Field2.... by commonField </CODE></PRE> <P>Where Field1, Field2 are the fields, from both base searches, that you want to display and common field is the field common between those two searches.</P> Fri, 22 Jan 2016 18:36:41 GMT https://community.splunk.com/t5/Splunk-Search/How-to-combine-data-from-2-source-types/m-p/241732#M188927 somesoni2 2016-01-22T18:36:41Z