topic Re: Fields in different events in a table in Splunk Search

How to get fields in different events in a table?

Paul — Mon, 14 Nov 2022 13:22:08 GMT

Hello:

I am trying to get fields from different events in the same table.

I have two different events, and let's say they have these fields:

First event:

Field1 = A

Field2 = B

Second event:

Field1 = A

Field3 = C

So if I run the following:

index=whatever sourcetype=whatever | table Field1 Field2 Field3

I get a table like such:

Field1 Field2 Field3

A B

A C

I am trying to get the table to look like this, because Field1 is the same value:

Field1 Field2 Field3

A B C

Basically, I am trying to pull a value from one event where the message IDs or session IDs are unique, and have Splunk go find another event with matching message IDs, and grab a different value from that separate event and output it to the same row in a table so the values in the table correspond with their respective message IDs.

Re: Fields in different events in a table

gcusello — Sat, 12 Nov 2022 07:20:57 GMT

Hi @Paul,

if the events com from the same index and have the same sourcetype, you have to group them using the stats command:

index=whatever sourcetype=whatever | stats values(Field2) AS Field2 values(Field3) AS Field3 BY Field1

choosing the common field for the BY clause and using the values option to avoid the list replication.

Ciao.

Giuseppe

Re: Fields in different events in a table

Paul — Sat, 12 Nov 2022 12:23:39 GMT

It worked. Thank you very much.

Re: Fields in different events in a table

gcusello — Sat, 12 Nov 2022 17:14:13 GMT

Hi @Paul,

good for you, see next time!

Please accept one answer for the other people of Community

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉