Solved: How to combine two searches with common value into...

alexandrebas · ‎12-01-2021

I need help regarding a join from events based on two different indexes that are related by the same value in one specific field.

Below a simple example:

index=source1 | table device.hostname,device.serialnumber

Results:

device.hostname	device.serialnumber
host1	ABC
host2	DEF

index=source2 | table hostname,user

Results:

hostname	user
host1	john
host2	mary

I would like to join these two searches in order to get the following results:

device.hostname	device.serialnumber	user
host1	ABC	john
host2	DEF	mary

Thank in advance for your help.

ITWhisperer · ‎12-03-2021

Try with the name in single quotes

| eval hostname=coalesce(hostname,'device.hostname')

View solution in original post

alexandrebas · ‎12-03-2021

It worked @ITWhisperer .

Thank you very much.

ITWhisperer · ‎12-01-2021

index=source1 OR index=source2
| eval hostname=coalesce(hostname,device.hostname)
| stats values(device.serialnumber) as serialnumber values(user) as user by hostname

alexandrebas · ‎12-03-2021

Hi @ITWhisperer

Thank you for your help. However, the field serialnumber wasn´t populated. It seems the two searches weren´t merged.

Regards,

Alexandre

ITWhisperer · ‎12-03-2021

Try with the name in single quotes

| eval hostname=coalesce(hostname,'device.hostname')

How to combine two searches with common value into one table

using Splunk Cloud

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!