How to join two columns from different "Source" fi...

chvenu17 · ‎11-28-2019

I have two join two different source file having similar column

Source1 ( basically iostat data and loaded to splunk for every minute)

_time,hdisk,host,disk_usage...
20191128.024935,hdisk1,host1,30
20191128.024935,hdisk2,host1,40
20191128.024935,hdisk3,host1.50

source2 (having disk and its file system mapping ..populated daily once)
filesystem
/fs1,hdisk1
/fs2,hdisk2
/fs3,hdisk3

both source1 and source2 mapped to single source type

How can i join both sources in splunk so i get the data in below format

_time,hdisk,host,disk_usage,filesystem
20191128.024935,hdisk1,host1,30,/fs1
20191128.024935,hdisk2,host1,40,/fs2
20191128.024935,hdisk3,host1.50,/fs3

woodcock · ‎12-02-2019

Like this:

| makeresults 
| eval _raw="_time,hdisk,host,disk_usage
20191128.024935,hdisk1,host1,30
20191128.024935,hdisk2,host1,40
20191128.024935,hdisk3,host1,50"
| eval source="Source1"
| append [|makeresults 
| eval _raw="filesystem,disk
/fs1,hdisk1
/fs2,hdisk2
/fs3,hdisk3"
| eval source="Source2"]
| multikv forceheader=1

| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"

| eval hdisk=coalesce(disk, hdisk)
| dedup hdisk source
| eval _time = if(source=="Source1", _time, null())
| stats first(_time) AS _time values(*) AS * BY hdisk
| table _time hdisk host disk_usage filesystem

to4kawa · ‎11-28-2019

Hi, @chvenu17

sourcetype=your_sourcetype 
|rex field=filesystem "(?<files>[^,]+),(?<hdisk2>).+"
|eval hdisk=coalesce(hdisk,hdisk2)
|stats values(_time) as _time,  values(host) as host values(disk_usage) as disk_usage values(files) as filesystem by hdisk
|table _time,hdisk,host,disk_usage,filesystem

How about it?

How to join two columns from different "Source" files?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!