Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Join three sources without common fields and assig...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Join three sources without common fields and assign one fields to other field
I have three sources on same index ="test"
source1 source2 RefSource2
Trans_ID SourceType TRANS_ID Trans_Name Trans_Type REF_ID REF_DESC
123 01 123 Name1 03 01 Type1
234 02 345 Name4 04 02 Type2
345 03 567 Name2 02 03 Type3
04 Type4
Result table should be
Trans_ID SourceType Trans_Name Trans_Type
123 Type1 Name1 Type3
345 Type3 Name4 Type4 where Trans_id is common for source1and source2..
Please help me how to achive above result
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Attached image ralted to tables and its relation .
Source 1 &source2 has common filed Trans_ID
IF Source1.SourceType=REF_ID then assign Source1.SourceType=REF_DESC
IF Source2.Trans_Type=REF_ID then assign Source2.Trans_Type=REF_DESC
![alt text][1]
Final Result should be:
Trans_ID SourceType Trans_Name Trans_Type
123 Type1 Name1 Type4
345 Type3 Name3 Type2
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you post which source have what fields and (if any) relationship between those fields?
New Year, New Changes for Splunk Certifications
[Puzzles] Solve, Learn, Repeat: Unmerging HTML Tables
Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...
