Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do you display two sources from one Index with different fields?

egt
New Member
‎12-21-2018 01:32 AM

I want to display from two sources from one Index with different fields via a key value in the result fields from both sources. is that possible?

Example:
source 1 contains the following fields: Id, function, serial number,...

source2 contains these fields: Id, leasing_end, leasing_start;....

The ID field contains the key value.

The result should show which devices on a certain date have leasing end divided by function

Translated with www.DeepL.com/Translator

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
Legend
‎12-22-2018 02:51 AM

@egt,

Another way is to use stats

index="your index" (source="source1" OR source="source2") |fields id,function,serial_number, leasing_end, leasing_start
|stats values(*) as * by id

Now you should be able to do further processing/checks on the data.
e.g.

Events(dummy)

|makeresults count=6|streamstats count as row|eval id=if(row<4,row,row-3)
|eval function=if(row<4,"func".id,"")|eval serialno=if(row<4,"sn".id,"")
|eval leasing_start=if(row>3,id."-11-2018",""),leasing_end=if(row>3,id."-12-2018","")
|fields _time,id,function,serialno,leasing_start,leasing_end

Final result

|makeresults count=6|streamstats count as row|eval id=if(row<4,row,row-3)
|eval function=if(row<4,"func".id,"")|eval serialno=if(row<4,"sn".id,"")
|eval leasing_start=if(row>3,id."-11-2018",""),leasing_end=if(row>3,id."-12-2018","")
|fields _time,id,function,serialno,leasing_start,leasing_end
|stats values(*) as * by id
---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

renjith_nair
Legend
‎12-22-2018 02:51 AM

@egt,

Another way is to use stats

index="your index" (source="source1" OR source="source2") |fields id,function,serial_number, leasing_end, leasing_start
|stats values(*) as * by id

Now you should be able to do further processing/checks on the data.
e.g.

Events(dummy)

|makeresults count=6|streamstats count as row|eval id=if(row<4,row,row-3)
|eval function=if(row<4,"func".id,"")|eval serialno=if(row<4,"sn".id,"")
|eval leasing_start=if(row>3,id."-11-2018",""),leasing_end=if(row>3,id."-12-2018","")
|fields _time,id,function,serialno,leasing_start,leasing_end

Final result

|makeresults count=6|streamstats count as row|eval id=if(row<4,row,row-3)
|eval function=if(row<4,"func".id,"")|eval serialno=if(row<4,"sn".id,"")
|eval leasing_start=if(row>3,id."-11-2018",""),leasing_end=if(row>3,id."-12-2018","")
|fields _time,id,function,serialno,leasing_start,leasing_end
|stats values(*) as * by id
---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Solved! Jump to solution

kmaron
Motivator
‎12-21-2018 05:55 AM

you can do that with a join - https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Join

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...