Reporting

how to combine two searched by row which have some columns comman but not ids

sachinkiet
Explorer

Hi,

i have two searches first give open alert data and second gives closed alert data i want to merge both results.

alert idmessageserveropentriggredtime     
1fsdf127.0.0.101/09/20     
2fdsfs127.0.0.101/09/20     
         
closed idmessageserverclosedtriggredtime     
3fdsfs127.0.0.001/09/20     
4fsdf127.0.0.001/09/20     
         
alert id & closed idmessageserveropentriggredtimeclosedtriggredtime    
1fsdf127.0.0.101/09/20     
2fdsfs127.0.0.101/09/20     
3fdsfs127.0.0.0 01/09/20    
4fsdf127.0.0.0 01/09/20    
Labels (1)
0 Karma

sachinkiet
Explorer

Actually the data which I am getting are from two searches. you have used split function at line no 4, why we are using it.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

The first part just creates sample data - you don't need this as you already have the data. The important parts are the renames

your first search
| rename "alert id" as id
| append [ your second search
| rename "closed id" as id
]
| table id message server opentriggredtime closedtriggredtime

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Rename the id fields to the same name and append one search to the other

 

| makeresults | eval event="{\"alert id\":1,\"message\":\"fsdf\",\"server\":\"127.0.0.1\",\"opentriggredtime\":\"01/09/20\"}\n{\"alert id\":2,\"message\":\"fdsfs\",\"server\":\"127.0.0.1\",\"opentriggredtime\":\"01/09/20\"}"
| eval event=split(event,"\n")
| mvexpand event
| spath input=event
| fields - _time event
--- created first table
| rename "alert id" as id
| append [ | makeresults | eval event="{\"closed id\":3,\"message\":\"fdsfs\",\"server\":\"127.0.0.0\",\"closedtriggredtime\":\"01/09/20\"}\n{\"closed id\":4,\"message\":\"fsdf\",\"server\":\"127.0.0.0\",\"closedtriggredtime\":\"01/09/20\"}"
| eval event=split(event,"\n")
| mvexpand event
| spath input=event
| fields - _time event
--- created second table
| rename "closed id" as id
]
| table id message server opentriggredtime closedtriggredtime

 

0 Karma
Get Updates on the Splunk Community!

What’s new on Splunk Lantern in August

This month’s Splunk Lantern update gives you the low-down on all of the articles we’ve published over the past ...

Welcome to the Future of Data Search & Exploration

You have more data coming at you than ever before. Over the next five years, the total amount of digital data ...

This Week's Community Digest - Splunk Community Happenings [8.3.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...