I have two indexers where i have to compare one field among them.I don't want to use join,Instead of that i used OR condition But the thing is from one of the index I have to extract a field using rex during search time .How can I do that.
index A
Sample Field (this field already present in the index )
index B
I have to extract the field
Here is the sample Query
(index=A sourcetype=xyz) OR (index=B sourcetype=ABC )
| rex "doc_name:\"(?[^+]+)"
when I am doing this it is considering only one index data i.e only from B index it is taking data. How can I over come this?
Right, you are on the right track as the simulation of JOIN can be done via OR
and then stats
.
The following explains it nicely by @sideview - simulating a SQL JOIN in Splunk
It says
-- But here's how to do it just with search and stats. One big OR clause in search mashes the two data sets together and then we do a little bit of stats command to merge it all into what we want.
The code example is - source=costtable OR source=usertable | stats first(username) as name sum(cost) as total by userid | sort - total | fields username total
Let's assume that there is a field name "sample" on index A, and no such field on B. However, in the _raw on B there is a section that the value of sample can be pulled from, and no such section on index A. Let's also assume that there is a value statA on A and a value statB on B that you need to get the total of.
(index=A sourcetype=xyz) OR (index=B sourcetype=ABC )
| rex "doc_name:\"(?<sampleB>[^+]+)"
| eval sample =coalesce(sample,sampleB)
| stats sum(statA) as StatA sum(statB) as statB by sample
But My Question is how can I do that?
Probably you need to do the following -
1) OR the two indexes
2) extract the field from index B, and producing a field with same name as the field from A
3) stats on this field, per example above
I am not able to go forward , Here is my detail explanation
I have a Index A from which i have to take a field name Say "Sample". In index B I have to extract a field using rex with same name "Sample". the thing is when we using OR it is extracting the field sample from one index only i.e index B . how to get field and values from both the index?
detail query
(index= A sourcetype=xyz) OR (index=B sourcetype=cdf )
|rex"^)?P[^,]*)
i have written the query in this type when i ran it's show data from ony index B .how can i get data from both the index ?
Right, you are on the right track as the simulation of JOIN can be done via OR
and then stats
.
The following explains it nicely by @sideview - simulating a SQL JOIN in Splunk
It says
-- But here's how to do it just with search and stats. One big OR clause in search mashes the two data sets together and then we do a little bit of stats command to merge it all into what we want.
The code example is - source=costtable OR source=usertable | stats first(username) as name sum(cost) as total by userid | sort - total | fields username total