https://community.splunk.com/t5/Splunk-Search/How-do-I-correlate-two-fields-from-various-sources/m-p/120344#M32310 <P>My challenge: I need to know what is the employer office and what is the central phone he is using?</P> Thu, 11 Sep 2014 17:46:48 GMT dfigurello 2014-09-11T17:46:48Z https://community.splunk.com/t5/Splunk-Search/How-do-I-correlate-two-fields-from-various-sources/m-p/120341#M32307 <P>Hi Splunkers, </P> <P>I am having problem to correlate two sources in my splunk. <BR /> How to add information in the table with a field located in various source. </P> <P>For example:</P> <P><STRONG>file1.csv</STRONG></P> <PRE><CODE> employer,location james,TEXAS John,CALIFORNIA Peter,OREGON Karon,MONTANA </CODE></PRE> <P><STRONG>file2.csv</STRONG></P> <PRE><CODE>name, central james, MONTANA james, MONTANA james, TEXAS Peter,OREGON Peter,OREGON Peter,OREGON </CODE></PRE> <P>I would create in splunk a table with 03 fields like this:</P> <PRE><CODE>employer | Employer Location | central james | TEXAS | MONTANA james | TEXAS | MONTANA james | TEXAS | TEXAS </CODE></PRE> <P>Cheers!</P> Thu, 11 Sep 2014 05:03:53 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-correlate-two-fields-from-various-sources/m-p/120341#M32307 dfigurello 2014-09-11T05:03:53Z https://community.splunk.com/t5/Splunk-Search/How-do-I-correlate-two-fields-from-various-sources/m-p/120342#M32308 <P>There are a couple of ways to do this in Splunk. However, if you have data that is not event-based and is just used for lookups, you should put it in a lookup table rather than indexing it in Splunk.</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/6.1.3/SearchTutorial/Usefieldlookups">Use field lookups</A> tutorial describes how to set up a lookup table. In your case, the file1.csv should probably be the lookup table.</P> Thu, 11 Sep 2014 06:16:18 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-correlate-two-fields-from-various-sources/m-p/120342#M32308 lguinn2 2014-09-11T06:16:18Z https://community.splunk.com/t5/Splunk-Search/How-do-I-correlate-two-fields-from-various-sources/m-p/120343#M32309 <P>Hi lguinn,</P> <P>I created two files to replicate a scenario in my splunk (files1.csv and files2.csv), however I am collecting data from 2 databases in real scenario. </P> <P>I have this structure in first source:<BR /> employer | cod_location <BR /> james | 01A<BR /> John | 02A </P> <P>Here I applied a lookup to convert the codes to city. <BR /> My search returns:</P> <P>employer | cod_location | location(lookup)<BR /> james | 01A | TEXAS<BR /> John | 02A | CALIFORNIA</P> <P>Now, I need create a "lookup" with internal data that correlate with another source&gt;<BR /> e.g:</P> <P>employer | location | Central<BR /> james | TEXAS | MONTANA<BR /> james | TEXAS | MONTANA</P> <P>Thanks!</P> Thu, 11 Sep 2014 17:38:50 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-correlate-two-fields-from-various-sources/m-p/120343#M32309 dfigurello 2014-09-11T17:38:50Z https://community.splunk.com/t5/Splunk-Search/How-do-I-correlate-two-fields-from-various-sources/m-p/120344#M32310 <P>My challenge: I need to know what is the employer office and what is the central phone he is using?</P> Thu, 11 Sep 2014 17:46:48 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-correlate-two-fields-from-various-sources/m-p/120344#M32310 dfigurello 2014-09-11T17:46:48Z https://community.splunk.com/t5/Splunk-Search/How-do-I-correlate-two-fields-from-various-sources/m-p/120345#M32311 <P>If you are using data from 2 databases, why not use Splunk DBConnect to retrieve the data instead of CSV files? Here is how to set up a lookup in Splunk DBConnect that accesses a database:</P> <P><A href="http://docs.splunk.com/Documentation/DBX/1.1.4/DeployDBX/Setupadatabaselookuptable">http://docs.splunk.com/Documentation/DBX/1.1.4/DeployDBX/Setupadatabaselookuptable</A></P> Thu, 11 Sep 2014 19:49:44 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-correlate-two-fields-from-various-sources/m-p/120345#M32311 lguinn2 2014-09-11T19:49:44Z https://community.splunk.com/t5/Splunk-Search/How-do-I-correlate-two-fields-from-various-sources/m-p/120346#M32312 <P>I got it:<BR /> source="C:\Users\dfigurello\Desktop\xxx\ligacoes_tronco.csv" name=* central=* | rename nome as employer | join employer [ search index=brq source="C:\Users\dfigurello\Desktop\xxx\rm_local_sigla.csv" ] | stats count by employer ,central,central| sort - count | where count &gt; 15 | where central!=central <BR /> cheers</P> Mon, 28 Sep 2020 17:34:45 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-correlate-two-fields-from-various-sources/m-p/120346#M32312 dfigurello 2020-09-28T17:34:45Z