Solved: Re: How to combine two searches with common value ...

alexandrebas · ‎12-01-2021

I need help regarding a join from events based on two different indexes that are related by the same value in one specific field.

Below a simple example:

index=source1 | table device.hostname,device.serialnumber

Results:

device.hostname	device.serialnumber
host1	ABC
host2	DEF

index=source2 | table hostname,user

Results:

hostname	user
host1	john
host2	mary

I would like to join these two searches in order to get the following results:

device.hostname	device.serialnumber	user
host1	ABC	john
host2	DEF	mary

Thank in advance for your help.

ITWhisperer · ‎12-03-2021

Try with the name in single quotes

| eval hostname=coalesce(hostname,'device.hostname')

View solution in original post

alexandrebas · ‎12-03-2021

It worked @ITWhisperer .

Thank you very much.

ITWhisperer · ‎12-01-2021

index=source1 OR index=source2
| eval hostname=coalesce(hostname,device.hostname)
| stats values(device.serialnumber) as serialnumber values(user) as user by hostname

alexandrebas · ‎12-03-2021

Hi @ITWhisperer

Thank you for your help. However, the field serialnumber wasn´t populated. It seems the two searches weren´t merged.

Regards,

Alexandre

ITWhisperer · ‎12-03-2021

Try with the name in single quotes

| eval hostname=coalesce(hostname,'device.hostname')

How to combine two searches with common value into one table

using Splunk Cloud

Splunk Forwarders and Forced Time Based Load Balancing

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!