Splunk Cloud Platform
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to combine two searches with common value into one table

alexandrebas
Explorer
‎12-01-2021 01:24 PM

I need help regarding a join from events based on two different indexes that are related by the same value in one specific field.

Below a simple example:

index=source1 | table device.hostname,device.serialnumber

Results:

device.hostnamedevice.serialnumber
host1ABC
host2DEF


index=source2 | table hostname,user

Results:

hostnameuser
host1john
host2mary


I would like to join these two searches in order to get the following results:

device.hostnamedevice.serialnumberuser
host1ABCjohn
host2DEFmary


Thank in advance for your help.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎12-03-2021 04:51 AM

Try with the name in single quotes

| eval hostname=coalesce(hostname,'device.hostname')

View solution in original post

0 Karma
Reply
Solved! Jump to solution

alexandrebas
Explorer
‎12-03-2021 05:26 AM

It worked @ITWhisperer . 

Thank you very much.

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎12-01-2021 02:29 PM 
index=source1 OR index=source2
| eval hostname=coalesce(hostname,device.hostname)
| stats values(device.serialnumber) as serialnumber values(user) as user by hostname
0 Karma
Reply
Solved! Jump to solution

alexandrebas
Explorer
‎12-03-2021 04:32 AM

Hi @ITWhisperer 

Thank you for your help. However, the field serialnumber wasn´t populated.  It seems the two searches weren´t merged.

Regards,

Alexandre

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎12-03-2021 04:51 AM

Try with the name in single quotes

| eval hostname=coalesce(hostname,'device.hostname')
0 Karma
Reply
Get Updates on the Splunk Community!

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

A Prelude to .conf25: Your Guide to Splunk University

Heading to Boston this September for .conf25? Get a jumpstart by arriving a few days early for Splunk ...

4 Ways the Splunk Community Helps You Prepare for .conf25

.conf25 is right around the corner, and whether you’re a first-time attendee or a seasoned Splunker, the ...