topic Re: How can I search across two sourcetypes for matching fields and output a table with matching results? in Splunk Search

How can I search across two sourcetypes for matching fields and output a table with matching results?

vkrishnachand — Wed, 29 Nov 2017 09:15:33 GMT

I have one index with two sourcetypes: S1 and S2. In sourcetype S1 I have fields A, B, C and in sourcetype S2 I have fields D, E, F.

The values in B field will sometimes be equal to values in E field, where if they are equal my final output should be in form of table with fields A,B,C,D,E,F.

Please help on the same.

Re: How can I search across two sourcetypes for matching fields and output a table with matching results?

jplumsdaine22 — Wed, 29 Nov 2017 09:24:10 GMT

If B & E are unique identifiers that are the same, you could do something like this:

index=A (sourcetype=S1 OR sourcetype=S2) 
| eval G=coalesce(B,E) 
| stats values(A) as A values(C) as C values(D) as D values(F) as F by G

Re: How can I search across two sourcetypes for matching fields and output a table with matching results?

vkrishnachand — Wed, 29 Nov 2017 10:08:01 GMT

thanks for this. I should display the result in a table something like a table with all the fields combined to gether something like table A B C D E F. how to do this.

Re: How can I search across two sourcetypes for matching fields and output a table with matching results?

vkrishnachand — Wed, 29 Nov 2017 10:18:12 GMT

thanks for this. I should display the result in a table something like a table with all the fields combined to gether something like table A B C D E F. how to do this.

Re: How can I search across two sourcetypes for matching fields and output a table with matching results?

jplumsdaine22 — Wed, 29 Nov 2017 10:48:00 GMT

That search should do it. You can rearrange the fields like this if you want:

 | fields A G C D F

(don't forget we made G the value of B or E)