https://community.splunk.com/t5/Splunk-Search/How-to-join-two-events-based-on-one-common-value/m-p/274285#M82746 <P>Try this.<BR /> <A href="https://docs.splunk.com/Documentation/Splunk/8.0.0/SearchReference/Xyseries">https://docs.splunk.com/Documentation/Splunk/8.0.0/SearchReference/Xyseries</A></P> Thu, 21 Nov 2019 05:57:47 GMT riqbal47010 2019-11-21T05:57:47Z https://community.splunk.com/t5/Splunk-Search/How-to-join-two-events-based-on-one-common-value/m-p/274277#M82738 <P>Hi,</P> <P>I have two different events of data :</P> <PRE><CODE>Event 1 = mail : id_mail : 1 title_mail : test mail_srv : host1 Event 2 = server: id_srv : 3 srv_name : host1 srv_ip : 192.168.0.1 </CODE></PRE> <P>I want to print Event 1 (mail) data with a column containing the server IP like this : id_mail, title_mail, mail_srv, srv_ip</P> <P>How can I do this?</P> <P>Thanks</P> Tue, 29 Sep 2020 12:42:30 GMT https://community.splunk.com/t5/Splunk-Search/How-to-join-two-events-based-on-one-common-value/m-p/274277#M82738 Naaba 2020-09-29T12:42:30Z https://community.splunk.com/t5/Splunk-Search/How-to-join-two-events-based-on-one-common-value/m-p/274278#M82739 <P>There need to be a common field between those two type of events. If that common field (in terms of matching values) is mail_srv/srv_name, then try like this</P> <P>your base search fetching both type of events<BR /> | eval host_name=coalesce(mail_srv,srv_name)</P> Tue, 29 Sep 2020 12:39:41 GMT https://community.splunk.com/t5/Splunk-Search/How-to-join-two-events-based-on-one-common-value/m-p/274278#M82739 somesoni2 2020-09-29T12:39:41Z https://community.splunk.com/t5/Splunk-Search/How-to-join-two-events-based-on-one-common-value/m-p/274279#M82740 <P>Thank you for your answer but It doesn't give the result i want.<BR /> I want to be able to use the fields the two events :</P> <P>Event 1 = mail :<BR /> id_mail : 1<BR /> title_mail : test<BR /> mail_srv : host1</P> <P>Event 2 = server:<BR /> id_srv : 3<BR /> srv_name : host1<BR /> srv_ip : 192.168.0.1</P> <P>I want to be able to print a table like this :<BR /> id_mail, title_mail, host1,id_srv ,srv_name ,srv_ip </P> Tue, 29 Sep 2020 12:42:38 GMT https://community.splunk.com/t5/Splunk-Search/How-to-join-two-events-based-on-one-common-value/m-p/274279#M82740 Naaba 2020-09-29T12:42:38Z https://community.splunk.com/t5/Splunk-Search/How-to-join-two-events-based-on-one-common-value/m-p/274280#M82741 <P>Didn't realize the query was incompletely posted. Here is the full query</P> <PRE><CODE>your base search fetching both type of events | eval host_name=coalesce(mail_srv,srv_name) | stats values(id_mail) as id_mail, values(title_mail) as title_mail ,values(id_srv) as id_srv, values(srv_ip) as srv_ip by host_name </CODE></PRE> Thu, 02 Feb 2017 16:56:02 GMT https://community.splunk.com/t5/Splunk-Search/How-to-join-two-events-based-on-one-common-value/m-p/274280#M82741 somesoni2 2017-02-02T16:56:02Z https://community.splunk.com/t5/Splunk-Search/How-to-join-two-events-based-on-one-common-value/m-p/274281#M82742 <P>There is almost certainly a better way to do this, but I think this will work based on the information that you have given</P> <PRE><CODE>index=A sourcetype=mail | join type=outer mail_srv [ search index=B sourcetype=server | dedup srv_name | rename srv_name as mail_srv ] | table id_mail, title_mail, mail_srv, srv_ip </CODE></PRE> Thu, 02 Feb 2017 17:20:40 GMT https://community.splunk.com/t5/Splunk-Search/How-to-join-two-events-based-on-one-common-value/m-p/274281#M82742 lguinn2 2017-02-02T17:20:40Z https://community.splunk.com/t5/Splunk-Search/How-to-join-two-events-based-on-one-common-value/m-p/274282#M82743 <P>the usage of "coalesce" is brilliant... I would've suggested "join"</P> Thu, 02 Feb 2017 18:24:43 GMT https://community.splunk.com/t5/Splunk-Search/How-to-join-two-events-based-on-one-common-value/m-p/274282#M82743 horsefez 2017-02-02T18:24:43Z https://community.splunk.com/t5/Splunk-Search/How-to-join-two-events-based-on-one-common-value/m-p/274283#M82744 <P>Try this:</P> <PRE><CODE>Your Search Here To Get Both Types Of Events | eval srv_ip=coalesce(srv_ip, mail_srv) | stats min(_time) AS _time values(*) AS * BY srv_ip </CODE></PRE> Wed, 01 Mar 2017 21:55:28 GMT https://community.splunk.com/t5/Splunk-Search/How-to-join-two-events-based-on-one-common-value/m-p/274283#M82744 woodcock 2017-03-01T21:55:28Z https://community.splunk.com/t5/Splunk-Search/How-to-join-two-events-based-on-one-common-value/m-p/274284#M82745 <P>whats about xyseries command. which convert coloms to rows.</P> <P><A href="https://docs.splunk.com/Documentation/Splunk/8.0.0/SearchReference/Xyseries">https://docs.splunk.com/Documentation/Splunk/8.0.0/SearchReference/Xyseries</A></P> Thu, 21 Nov 2019 05:57:26 GMT https://community.splunk.com/t5/Splunk-Search/How-to-join-two-events-based-on-one-common-value/m-p/274284#M82745 riqbal47010 2019-11-21T05:57:26Z https://community.splunk.com/t5/Splunk-Search/How-to-join-two-events-based-on-one-common-value/m-p/274285#M82746 <P>Try this.<BR /> <A href="https://docs.splunk.com/Documentation/Splunk/8.0.0/SearchReference/Xyseries">https://docs.splunk.com/Documentation/Splunk/8.0.0/SearchReference/Xyseries</A></P> Thu, 21 Nov 2019 05:57:47 GMT https://community.splunk.com/t5/Splunk-Search/How-to-join-two-events-based-on-one-common-value/m-p/274285#M82746 riqbal47010 2019-11-21T05:57:47Z https://community.splunk.com/t5/Splunk-Search/How-to-join-two-events-based-on-one-common-value/m-p/274286#M82747 <P>Like this:</P> <PRE><CODE>... | eval srv_name = coalesce(mail_srv,srv_name) | fields id_mail title_mail id_srv srv_name srv_ip | stats values(*) AS * BY srv_name | table id_mail title_mail id_srv srv_name srv_ip </CODE></PRE> Thu, 21 Nov 2019 15:35:37 GMT https://community.splunk.com/t5/Splunk-Search/How-to-join-two-events-based-on-one-common-value/m-p/274286#M82747 woodcock 2019-11-21T15:35:37Z