Splunk Enterprise
Highlighted

Correlate data between two sources

New Member

I have a situation where one index I have records multiple runners bib #, heights, age, weight, etc. The _time for this one is sign up date.

My other index has a log of the runner bib # and data about the runner during the race- heartrate, pace, bodytemp etc.

I need to figure out how to do stats/calcs on the 2nd index, but be able to sort by the first index. Ex: avg(Heartrate) by age.

For this example there is only one runner on the course at a time.

0 Karma
Highlighted

Re: Correlate data between two sources

Path Finder

Could you do something like this?

index=index_1 
| fields bib, height, age, weight 
| append [index=index_2 | fields bib, heartrate, pace, bodytemp] 
| stats avg(heartrate),values(bib) by age
0 Karma
Highlighted

Re: Correlate data between two sources

SplunkTrust
SplunkTrust

Try like this

index=yourindex1 OR index=yourIndex2 |  stats values(Heartrate) as Heartrate values(age) as age by bib | stats avg(Heartrate) as avgHR by age
0 Karma