How do you move fields from one event to another?

pc1234 · ‎12-02-2018

i have events that contain the following.

host sourcetype value1 value2
100 log-c .60
100 log-d .75
100 log-retention-c 1
100 log-retention-d 2
100 cpuload .4

i want to combine the events to the following:

host sourcetype value1 value2
100 log-c .60 1
100 log-d .75 2
100 cpuload .4

The only source type that requires this are those beginning with log. I need value1 or value2 in the same event to calculate a status based on the values.

Note: Sorted by source type, there are no intervening source types between log% and log-retention%.

Any assistance is appreciated.

Best Regards,

HiroshiSatoh · ‎12-02-2018

I would like you to explain the situation more concretely

As a general story…
The way to combine the fields of another event into the event is below.

(Efficient method)
sourcetype=sourcetype_a OR sourcetype=sourcetype_b  | stats latest(*) AS * BY your_key

(Easy way)
sourcetype=sourcetype_a | join type=inner your_key
[search sourcetype=sourcetype_b  | dedup your_key| table your_key,  fields_1, ields_2,fields_other]

How do you move fields from one event to another?

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Splunk MCP & Agentic AI: Machine Data Without Limits

Join the Conversation

How do you move fields from one event to another?

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Splunk MCP & Agentic AI: Machine Data Without Limits