All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to Cacatenate and Search in 2 different Sources

muru143
New Member
‎06-07-2013 05:25 PM

Hi Splunk Experts,

I have 2 files

File1:

Filer_Name    Dept     Volume_Name    Vol_Total    Vol_Used

Abcd                   Vol1           100          50

File 2:

Filer_Name    Dept     Volume_Name    Vol_Total    Vol_Used

Abcd          IT       Vol1

File 1 is generated by storage monitoring script and file 2 is maintained manually with Dept name.

What I want to do is, I want to concatenate “Filer_Name” and “Volume_Name” in both files and based on the value lookup for Dept in File2.
How can do this in Splunk?

I got to the point of concatenating the fields in file 1, but not sure how to do lookup based in concatenated value from file 2.

I have indexed both files in splunk.

Can anyone tell me if this is possible.

Thanks for your help,

Muru

0 Karma
Reply

muru143
New Member
‎06-11-2013 09:54 AM

basically I want to lookup a field from file2 by matching concatenation of fields "filer_name" and "vol_name" in file1 to concenation of same fields in file 2.

0 Karma
Reply

jrodman
Splunk Employee
Splunk Employee
‎06-09-2013 07:20 PM

I don't understand the question.

However you can concatenate fields with eval

... |eval newfield=field1 . field2

Typically if you want to use file2 as a table to enrich file1, it's more convenient to set up the data as a lookup. You could generate a lookup from file2 by doing some gymnastics like:

source=file2 | fields Filer_Name, Dept, Volume_Name |outputlookup my_lookup

you might have to set up some conf to comprehend your lookup for meaningful use.
More about lookups: http://docs.splunk.com/Documentation/Splunk/5.0.3/Knowledge/Addfieldsfromexternaldatasources

Once you have the lookup set up to work automatically or by invocation, it would become something like

source=file1 |lookup my_lookup | ...

where you may wish to filter the items to augment before or after the lookup.

0 Karma
Reply

muru143
New Member
‎06-11-2013 10:34 AM

Thanks, I was able to use lookup to accomplish what I wanted to do.

Thanks for your help,

-Muru

0 Karma
Reply

kristian_kolb
Ultra Champion
‎06-07-2013 11:48 PM

Many things are possible. Please show in more detail how you want the results presented. It's not really clear.

0 Karma
Reply
Get Updates on the Splunk Community!

Community Content Calendar, November Edition

Welcome to the November edition of our Community Spotlight! Each month, we dive into the Splunk Community to ...

October Community Champions: A Shoutout to Our Contributors!

As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...