Splunk Dev
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can we Regex while using "OR"

vikasreddy
Explorer
‎02-18-2017 05:42 PM

I have two indexers where i have to compare one field among them.I don't want to use join,Instead of that i used OR condition But the thing is from one of the index I have to extract a field using rex during search time .How can I do that.
index A
Sample Field (this field already present in the index )

index B
I have to extract the field

Here is the sample Query
(index=A sourcetype=xyz) OR (index=B sourcetype=ABC )
| rex "doc_name:\"(?[^+]+)"

when I am doing this it is considering only one index data i.e only from B index it is taking data. How can I over come this?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ddrillic
Ultra Champion
‎02-18-2017 07:21 PM

Right, you are on the right track as the simulation of JOIN can be done via OR and then stats.

The following explains it nicely by @sideview - simulating a SQL JOIN in Splunk

It says

-- But here's how to do it just with search and stats. One big OR clause in search mashes the two data sets together and then we do a little bit of stats command to merge it all into what we want.

The code example is - source=costtable OR source=usertable | stats first(username) as name sum(cost) as total by userid | sort - total | fields username total

View solution in original post

0 Karma
Reply
Solved! Jump to solution

DalJeanis
Legend
‎02-20-2017 01:19 PM

Let's assume that there is a field name "sample" on index A, and no such field on B. However, in the _raw on B there is a section that the value of sample can be pulled from, and no such section on index A. Let's also assume that there is a value statA on A and a value statB on B that you need to get the total of.

(index=A sourcetype=xyz) OR (index=B sourcetype=ABC )
| rex "doc_name:\"(?<sampleB>[^+]+)"
| eval sample =coalesce(sample,sampleB)
| stats sum(statA) as StatA sum(statB) as statB by sample
0 Karma
Reply
Solved! Jump to solution

vikasreddy
Explorer
‎02-18-2017 09:36 PM

But My Question is how can I do that?

0 Karma
Reply
Solved! Jump to solution

ddrillic
Ultra Champion
‎02-19-2017 12:51 PM

Probably you need to do the following -

1) OR the two indexes
2) extract the field from index B, and producing a field with same name as the field from A
3) stats on this field, per example above

0 Karma
Reply
Solved! Jump to solution

vikasreddy
Explorer
‎02-19-2017 08:06 PM

I am not able to go forward , Here is my detail explanation

I have a Index A from which i have to take a field name Say "Sample". In index B I have to extract a field using rex with same name "Sample". the thing is when we using OR it is extracting the field sample from one index only i.e index B . how to get field and values from both the index?

detail query

(index= A sourcetype=xyz) OR (index=B sourcetype=cdf )
|rex"^)?P[^,]*)

i have written the query in this type when i ran it's show data from ony index B .how can i get data from both the index ?

0 Karma
Reply
Solved! Jump to solution
Solution

ddrillic
Ultra Champion
‎02-18-2017 07:21 PM

Right, you are on the right track as the simulation of JOIN can be done via OR and then stats.

The following explains it nicely by @sideview - simulating a SQL JOIN in Splunk

It says

-- But here's how to do it just with search and stats. One big OR clause in search mashes the two data sets together and then we do a little bit of stats command to merge it all into what we want.

The code example is - source=costtable OR source=usertable | stats first(username) as name sum(cost) as total by userid | sort - total | fields username total

0 Karma
Reply
Get Updates on the Splunk Community!

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...