Are you a member of the Splunk Community?
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How to copy the field values of one event to anoth...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tried to extract fields form different sources by comparing two IPs. I want to copy the fields of location and state by comparing IP and MAC. Present I am seeing the table 1, but I want a result as table 2.
Table 1:
Time IP MAC LOCATION STATE source
10:00 10.10.10.11 XXX foo.com
12:00 10.10.10.11 YYY foo.com
11:11 10.10.10.11 XXX INDIA A.P joo.com
Table 2:
output: I want to copy the fields of location and state by comparing IP and MAC
Time IP MAC LOCATION STATE source
10:00 10.10.10.11 XXX INDIA A.P foo.com
12:00 10.10.10.11 YYY foo.com
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I used the transaction, but it's grouping the values with matching IP and MAC.
Here is the another way without join or transaction commands.
Search:
index = foo.com OR index = joo.com | eval IPMAC = coallesce(IP,MAC)| streamstats current=t values(LOCATION) as LOCATION , values(STATE) as STATE by IPMAC | table *
Note: Here, the key point is streamstats which copy the fields of the second index by matching IP and MAC.
If you are having different field names which represent the same structure, try using the search below. It might be useful.
Search:
index = foo.com OR index = joo.com |eval IP = coallesce(IP,IPADDR) | eval MAC = coallesce(MAC, MAC1)| eval IPMAC = coallesce(IP,MAC)| streamstats current=t values(LOCATION) as LOCATION , values(STATE) as STATE by IPMAC | table *
Thanks,
Nagendra.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I used the transaction, but it's grouping the values with matching IP and MAC.
Here is the another way without join or transaction commands.
Search:
index = foo.com OR index = joo.com | eval IPMAC = coallesce(IP,MAC)| streamstats current=t values(LOCATION) as LOCATION , values(STATE) as STATE by IPMAC | table *
Note: Here, the key point is streamstats which copy the fields of the second index by matching IP and MAC.
If you are having different field names which represent the same structure, try using the search below. It might be useful.
Search:
index = foo.com OR index = joo.com |eval IP = coallesce(IP,IPADDR) | eval MAC = coallesce(MAC, MAC1)| eval IPMAC = coallesce(IP,MAC)| streamstats current=t values(LOCATION) as LOCATION , values(STATE) as STATE by IPMAC | table *
Thanks,
Nagendra.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi nagendra008,
I would suggest you to use a lookup to enrich the data. Another possible sollution would be to use the transaction command to bring events that have the same IP and MAC address together and use the field of location and state of one of the events.
Hope this helps.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Gfreitas,
On my understanding lookup will be helpful only with small data, Lookup performance is less when we try to use with millions of records.
Regards,
Nagee.
Introduction to Splunk AI
Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...
Maximizing the Value of Splunk ES 8.x
