All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to Cacatenate and Search in 2 different Sources

muru143
New Member
‎06-07-2013 05:25 PM

Hi Splunk Experts,

I have 2 files

File1:

Filer_Name    Dept     Volume_Name    Vol_Total    Vol_Used

Abcd                   Vol1           100          50

File 2:

Filer_Name    Dept     Volume_Name    Vol_Total    Vol_Used

Abcd          IT       Vol1

File 1 is generated by storage monitoring script and file 2 is maintained manually with Dept name.

What I want to do is, I want to concatenate “Filer_Name” and “Volume_Name” in both files and based on the value lookup for Dept in File2.
How can do this in Splunk?

I got to the point of concatenating the fields in file 1, but not sure how to do lookup based in concatenated value from file 2.

I have indexed both files in splunk.

Can anyone tell me if this is possible.

Thanks for your help,

Muru

0 Karma
Reply

muru143
New Member
‎06-11-2013 09:54 AM

basically I want to lookup a field from file2 by matching concatenation of fields "filer_name" and "vol_name" in file1 to concenation of same fields in file 2.

0 Karma
Reply

jrodman
Splunk Employee
Splunk Employee
‎06-09-2013 07:20 PM

I don't understand the question.

However you can concatenate fields with eval

... |eval newfield=field1 . field2

Typically if you want to use file2 as a table to enrich file1, it's more convenient to set up the data as a lookup. You could generate a lookup from file2 by doing some gymnastics like:

source=file2 | fields Filer_Name, Dept, Volume_Name |outputlookup my_lookup

you might have to set up some conf to comprehend your lookup for meaningful use.
More about lookups: http://docs.splunk.com/Documentation/Splunk/5.0.3/Knowledge/Addfieldsfromexternaldatasources

Once you have the lookup set up to work automatically or by invocation, it would become something like

source=file1 |lookup my_lookup | ...

where you may wish to filter the items to augment before or after the lookup.

0 Karma
Reply

muru143
New Member
‎06-11-2013 10:34 AM

Thanks, I was able to use lookup to accomplish what I wanted to do.

Thanks for your help,

-Muru

0 Karma
Reply

kristian_kolb
Ultra Champion
‎06-07-2013 11:48 PM

Many things are possible. Please show in more detail how you want the results presented. It's not really clear.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...