https://community.splunk.com/t5/Splunk-Search/coalesce-values-of-Outsearch-and-Subsearch/m-p/562478#M195622 <P>Hi Splunk experts,</P><P>I have below usecase and using below query</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">index=Index1 app_name IN ("customer","contact") | rex field=msg.message.details "\"accountUuid\":\"(?&lt;SFaccountUUID&gt;[^\n\r\"]+)" | rex field=msg.message.details "\"contactId\":\"(?&lt;SFcontactUUID&gt;[^\n\r\"]+)" |rex field=msg.details "\'customerCode\'\=\'(?&lt;cac&gt;[^\n\r\']{10})\'" | rename msg.correlationId AS correlationId | stats latest(SFcontactUUID) as contactUUID,latest(SFaccountUUID) as accountUUID,values(msg.tag.Status) as QStatus,values(msg.tag.errorMessage) as Q_errorMessage,values(msg.tag.errorCode) as Q_errorCode by correlationId | join type=left correlationId [search index=index2 app_name="contact1" |rename msg.message.header.correlationId AS correlationId |stats values(msg.message.header.Status) AS DStatus,values(msg.message.header.eventName) AS eventName,values(msg.message.header.errorMessage) as D_errorMessage,values(msg.message.header.errorCode) as D_errorCode by correlationId] The common identifier between the 2 searches is the correlationId. Below is sample result </LI-CODE><P>&nbsp;</P><TABLE width="701"><TBODY><TR><TD width="75">correlationId</TD><TD width="90">contactUUID</TD><TD width="101">accountUUID</TD><TD width="118">Q_errorMessage</TD><TD width="88">Q_errorCode</TD><TD width="91">D_errorCode</TD><TD width="138">D_errorMessage</TD></TR><TR><TD width="75">ab861125-6cd7-493b-999f-ef9b2edd8315023758601</TD><TD width="90">&nbsp;</TD><TD width="101">C0DABCC1-EFC8-11eb-A67A-005056B89B42</TD><TD width="118">null</TD><TD width="88">null</TD><TD width="91">201 null</TD><TD width="138">null { "ContactUUID": "b020c98a-43f5-d6b3-e983-45ffddf52a73"}</TD></TR></TBODY></TABLE><P>Is it possible to coalesce the value of highlighted in red from subsearch into the ContactUUID field in the outersearch?I am expecting this value either in outer or subsearch and so how can I solve it?&nbsp;<BR /><BR /><BR /></P> Sat, 07 Aug 2021 03:35:29 GMT prasant 2021-08-07T03:35:29Z https://community.splunk.com/t5/Splunk-Search/coalesce-values-of-Outsearch-and-Subsearch/m-p/562478#M195622 <P>Hi Splunk experts,</P><P>I have below usecase and using below query</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">index=Index1 app_name IN ("customer","contact") | rex field=msg.message.details "\"accountUuid\":\"(?&lt;SFaccountUUID&gt;[^\n\r\"]+)" | rex field=msg.message.details "\"contactId\":\"(?&lt;SFcontactUUID&gt;[^\n\r\"]+)" |rex field=msg.details "\'customerCode\'\=\'(?&lt;cac&gt;[^\n\r\']{10})\'" | rename msg.correlationId AS correlationId | stats latest(SFcontactUUID) as contactUUID,latest(SFaccountUUID) as accountUUID,values(msg.tag.Status) as QStatus,values(msg.tag.errorMessage) as Q_errorMessage,values(msg.tag.errorCode) as Q_errorCode by correlationId | join type=left correlationId [search index=index2 app_name="contact1" |rename msg.message.header.correlationId AS correlationId |stats values(msg.message.header.Status) AS DStatus,values(msg.message.header.eventName) AS eventName,values(msg.message.header.errorMessage) as D_errorMessage,values(msg.message.header.errorCode) as D_errorCode by correlationId] The common identifier between the 2 searches is the correlationId. Below is sample result </LI-CODE><P>&nbsp;</P><TABLE width="701"><TBODY><TR><TD width="75">correlationId</TD><TD width="90">contactUUID</TD><TD width="101">accountUUID</TD><TD width="118">Q_errorMessage</TD><TD width="88">Q_errorCode</TD><TD width="91">D_errorCode</TD><TD width="138">D_errorMessage</TD></TR><TR><TD width="75">ab861125-6cd7-493b-999f-ef9b2edd8315023758601</TD><TD width="90">&nbsp;</TD><TD width="101">C0DABCC1-EFC8-11eb-A67A-005056B89B42</TD><TD width="118">null</TD><TD width="88">null</TD><TD width="91">201 null</TD><TD width="138">null { "ContactUUID": "b020c98a-43f5-d6b3-e983-45ffddf52a73"}</TD></TR></TBODY></TABLE><P>Is it possible to coalesce the value of highlighted in red from subsearch into the ContactUUID field in the outersearch?I am expecting this value either in outer or subsearch and so how can I solve it?&nbsp;<BR /><BR /><BR /></P> Sat, 07 Aug 2021 03:35:29 GMT https://community.splunk.com/t5/Splunk-Search/coalesce-values-of-Outsearch-and-Subsearch/m-p/562478#M195622 prasant 2021-08-07T03:35:29Z https://community.splunk.com/t5/Splunk-Search/coalesce-values-of-Outsearch-and-Subsearch/m-p/562486#M195623 <P>You could try something like this</P><LI-CODE lang="markup">index=Index1 app_name IN ("customer","contact") | rex field=msg.message.details "\"accountUuid\":\"(?&lt;SFaccountUUID&gt;[^\n\r\"]+)" | rex field=msg.message.details "\"contactId\":\"(?&lt;SFcontactUUID&gt;[^\n\r\"]+)" |rex field=msg.details "\'customerCode\'\=\'(?&lt;cac&gt;[^\n\r\']{10})\'" | rename msg.correlationId AS correlationId | stats latest(SFcontactUUID) as contactUUID,latest(SFaccountUUID) as accountUUID,values(msg.tag.Status) as QStatus,values(msg.tag.errorMessage) as Q_errorMessage,values(msg.tag.errorCode) as Q_errorCode by correlationId | append [search index=index2 app_name="contact1" | rex field=msg.message.header.errorCode "\"ContactUUID\":\"(?&lt;SFcontactUUID&gt;[^\n\r\"]+)" | rename msg.message.header.correlationId AS correlationId |stats values(msg.message.header.Status) AS DStatus,values(msg.message.header.eventName) AS eventName,values(msg.message.header.errorMessage) as D_errorMessage,values(msg.message.header.errorCode) as D_errorCode values(SFContactUUID) and SFContactUUID by correlationId] | stats values(*) as * by correlationId</LI-CODE> Sat, 07 Aug 2021 07:03:38 GMT https://community.splunk.com/t5/Splunk-Search/coalesce-values-of-Outsearch-and-Subsearch/m-p/562486#M195623 ITWhisperer 2021-08-07T07:03:38Z https://community.splunk.com/t5/Splunk-Search/coalesce-values-of-Outsearch-and-Subsearch/m-p/562503#M195628 <P>Hi,&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>&nbsp;</P><P>thanks for u r response, but your solution doesnt seem to work, I am using join( real time) so I can get the values of the subsearch as column, against the join condition. i.e common identifier is correlation ID.</P><P>Outer Search A,&nbsp; Contact Column x</P><P>Subsearch B, Contact Column y&nbsp;</P><P>Join condition correlationId</P><P>final stats/table should have combined result of column x and y along with all the other columns from Search A and Search B. The reason I want to combine the values is that, sometime Column x or Column Y will have the value.</P><P>thanks&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Sun, 08 Aug 2021 03:17:51 GMT https://community.splunk.com/t5/Splunk-Search/coalesce-values-of-Outsearch-and-Subsearch/m-p/562503#M195628 prasant 2021-08-08T03:17:51Z https://community.splunk.com/t5/Splunk-Search/coalesce-values-of-Outsearch-and-Subsearch/m-p/562509#M195629 <P>Sorry typo (field names are case sensitive)</P><LI-CODE lang="markup">values(SFcontactUUID) and SFcontactUUID</LI-CODE><P>&nbsp;The final stats does "join" by correlation id; where field names are the same, the values from both searches are joined into multi-value fields, so SFcontactUUID will have values from both searches, so in your case, if it is only present in one search or the other, they are effectively coalesced into a single field.</P> Sun, 08 Aug 2021 07:56:26 GMT https://community.splunk.com/t5/Splunk-Search/coalesce-values-of-Outsearch-and-Subsearch/m-p/562509#M195629 ITWhisperer 2021-08-08T07:56:26Z https://community.splunk.com/t5/Splunk-Search/coalesce-values-of-Outsearch-and-Subsearch/m-p/562519#M195633 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>&nbsp; Thanks it worked, I was thinking of using rex and combine the indexes in one search.</P> Mon, 09 Aug 2021 00:01:05 GMT https://community.splunk.com/t5/Splunk-Search/coalesce-values-of-Outsearch-and-Subsearch/m-p/562519#M195633 prasant 2021-08-09T00:01:05Z