https://community.splunk.com/t5/Splunk-Search/How-to-generate-a-output-bases-on-a-common-value-from-two/m-p/632780#M219817 <P>Rename the fields so that they have the same name, you can then do stats using the by clause to gather values from the two events together.</P> Wed, 01 Mar 2023 14:35:08 GMT ITWhisperer 2023-03-01T14:35:08Z https://community.splunk.com/t5/Splunk-Search/How-to-generate-a-output-bases-on-a-common-value-from-two/m-p/632773#M219814 <P>we have two separate events which have a common field x-provider-api-correlation-id .<BR /><BR />In 1st event it is coming as part of HTTP response header and in second api it is coming as part of Http Request Header.<BR /><BR /><BR />My requirement is to extract&nbsp; start time (_time-(time_to_serve_request/1000), endtime which is _time from these two separate events&nbsp; based of x-provider-api-correlation-id which is having same value .<BR /><BR /><BR /></P><P>&nbsp;</P><P>&nbsp;</P><P><BR /><BR /><BR /></P><P>&nbsp;</P><P>&nbsp;</P> Wed, 08 Mar 2023 20:27:24 GMT https://community.splunk.com/t5/Splunk-Search/How-to-generate-a-output-bases-on-a-common-value-from-two/m-p/632773#M219814 xp001975 2023-03-08T20:27:24Z https://community.splunk.com/t5/Splunk-Search/How-to-generate-a-output-bases-on-a-common-value-from-two/m-p/632780#M219817 <P>Rename the fields so that they have the same name, you can then do stats using the by clause to gather values from the two events together.</P> Wed, 01 Mar 2023 14:35:08 GMT https://community.splunk.com/t5/Splunk-Search/How-to-generate-a-output-bases-on-a-common-value-from-two/m-p/632780#M219817 ITWhisperer 2023-03-01T14:35:08Z https://community.splunk.com/t5/Splunk-Search/How-to-generate-a-output-bases-on-a-common-value-from-two/m-p/633475#M220049 <P>Not clearly able to understand "<SPAN><STRONG>Rename the fields so that they have the same name</STRONG>" in particular</SPAN>. Is my Splunk query&nbsp;looks correct like you&nbsp; suggested in previous response.&nbsp;</P> Mon, 06 Mar 2023 19:58:20 GMT https://community.splunk.com/t5/Splunk-Search/How-to-generate-a-output-bases-on-a-common-value-from-two/m-p/633475#M220049 xp001975 2023-03-06T19:58:20Z https://community.splunk.com/t5/Splunk-Search/How-to-generate-a-output-bases-on-a-common-value-from-two/m-p/633513#M220056 <P>Note that field names are case-sensitive and it is best to avoid special characters in field names.</P><LI-CODE lang="markup">| rename response_http_headers{}.x-provider-api-correlation-id as x_provider_api_correlation_id | rename request_http_headers{}.X-Provider-API-Correlation-Id as x_provider_api_correlation_id | stats values(*) as * by x_provider_api_correlation_id</LI-CODE> Mon, 06 Mar 2023 23:52:21 GMT https://community.splunk.com/t5/Splunk-Search/How-to-generate-a-output-bases-on-a-common-value-from-two/m-p/633513#M220056 ITWhisperer 2023-03-06T23:52:21Z https://community.splunk.com/t5/Splunk-Search/How-to-generate-a-output-bases-on-a-common-value-from-two/m-p/633614#M220072 <P>deleted the message</P> Tue, 07 Mar 2023 22:25:24 GMT https://community.splunk.com/t5/Splunk-Search/How-to-generate-a-output-bases-on-a-common-value-from-two/m-p/633614#M220072 xp001975 2023-03-07T22:25:24Z https://community.splunk.com/t5/Splunk-Search/How-to-generate-a-output-bases-on-a-common-value-from-two/m-p/633621#M220075 <P>All data looks good&nbsp; except&nbsp;</P><P><FONT color="#FF0000"><STRONG>rename _time as EToAvaTime | fieldformat EToAvaTime=strftime(EToAvaTime, "%F %T.%Q")</STRONG></FONT><BR /><FONT color="#FF0000"><STRONG>is not giving&nbsp;YYYY-MM-DD HH:MM:SS.MilliSec format .</STRONG></FONT><BR /><FONT color="#FF0000"><STRONG>coming as&nbsp;<FONT color="#800000">1677704096.378<BR /><BR /></FONT></STRONG></FONT></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="xp001975_0-1678211868698.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/24232iAA09CF292BA44E83/image-size/medium?v=v2&amp;px=400" role="button" title="xp001975_0-1678211868698.png" alt="xp001975_0-1678211868698.png" /></span></P><P>&nbsp;</P><P><BR /><BR /><BR /></P> Tue, 07 Mar 2023 22:26:48 GMT https://community.splunk.com/t5/Splunk-Search/How-to-generate-a-output-bases-on-a-common-value-from-two/m-p/633621#M220075 xp001975 2023-03-07T22:26:48Z https://community.splunk.com/t5/Splunk-Search/How-to-generate-a-output-bases-on-a-common-value-from-two/m-p/633622#M220076 <P>Fieldformat does not apply to the subsearch - try this way</P><LI-CODE lang="markup">index=apic* app_name=Inter | eval Starttime=strftime(_time-(time_to_serve_request/1000), "%F %T.%Q") | table Starttime _time response_http_headers{}.x-provider-api-correlation-id time_to_serve_request status_code | rename _time as ESLToInterTime | fieldformat ESLToInterTime=strftime(ESLToInterTime, "%F %T.%Q") | rename Starttime as InterToESLTime | join X-Provider-API-Correlation-Id [ search index=apic* app_name=Ava | eval Starttime=strftime(_time-(time_to_serve_request/1000), "%F %T.%Q") | table Starttime _time request_http_headers{}.X-Provider-API-Correlation-Id time_to_serve_request status_code | rename _time as ESLToAvaTime | rename Starttime as AvaTOESLTime ] | fieldformat ESLToAvaTime=strftime(ESLToAvaTime, "%F %T.%Q")</LI-CODE> Tue, 07 Mar 2023 18:06:42 GMT https://community.splunk.com/t5/Splunk-Search/How-to-generate-a-output-bases-on-a-common-value-from-two/m-p/633622#M220076 ITWhisperer 2023-03-07T18:06:42Z https://community.splunk.com/t5/Splunk-Search/How-to-generate-a-output-bases-on-a-common-value-from-two/m-p/633651#M220091 <P>Thanks ITWhisperer ! That works .<BR /><BR />Is there a way we can join two different indexes , earlier&nbsp; case is same index .&nbsp;</P> Tue, 07 Mar 2023 22:29:28 GMT https://community.splunk.com/t5/Splunk-Search/How-to-generate-a-output-bases-on-a-common-value-from-two/m-p/633651#M220091 xp001975 2023-03-07T22:29:28Z https://community.splunk.com/t5/Splunk-Search/How-to-generate-a-output-bases-on-a-common-value-from-two/m-p/633677#M220101 <P>A join will join the current events in the pipeline (from the first search) with the events from the subsearch. These searches are independent of each other and can be resolved using different indexes.</P><P>Similarly, you can use stats to gather events which can from different indexes in the same initial search.</P><LI-CODE lang="markup">(index=a sourcetype=b) OR (index=x sourcetype=y) | rename fieldA as commonfieldname | rename fieldX as commonfieldname | stats values(*) as * by commonfieldname</LI-CODE><P>&nbsp;</P> Wed, 08 Mar 2023 07:04:42 GMT https://community.splunk.com/t5/Splunk-Search/How-to-generate-a-output-bases-on-a-common-value-from-two/m-p/633677#M220101 ITWhisperer 2023-03-08T07:04:42Z https://community.splunk.com/t5/Splunk-Search/How-to-generate-a-output-bases-on-a-common-value-from-two/m-p/634625#M220477 <P><STRONG><SPAN class="">eip-microservice-metric</SPAN></STRONG><SPAN>:&nbsp;</SPAN><SPAN class="">{"path":"/request","method":"POST","status":"200 OK","consCorrId":null,"apiTransId":"139efc926411fa1536b2488f","appName":null,"<STRONG>start</STRONG>":"2023-03-15T13:02:13.596-0400","<STRONG>end</STRONG>":"2023-03-15T13:02:13.992-0400","tTime":396,"aTime":1,"fTime":395,"e":null,"addl":{"X-Correlation-Id":"d7-7c455c12ac15","X-Provider-Correlation-Id":"586752.393268","X-Provider-API-Correlation-Id":"9176536b2488f"},"pMetrics":[{"provider":"API","function":"invokeXXXX","time":395,"e":null}],}<BR /><BR /><BR />How to extract&nbsp;start and end from this&nbsp;<SPAN class=""><U><STRONG>eip-microservice-metric</STRONG></U>&nbsp;?</SPAN></SPAN></P> Wed, 15 Mar 2023 17:10:59 GMT https://community.splunk.com/t5/Splunk-Search/How-to-generate-a-output-bases-on-a-common-value-from-two/m-p/634625#M220477 xp001975 2023-03-15T17:10:59Z