Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

COmpare or join 2 fields to 3rd output

jerinvarghese
Communicator
‎03-06-2021 06:55 AM

HI All,

Need help in comparing 2 fields or join 2 values to build a table for another 2 field.

CODE 1: 

 

index=opennms "Cisco-WLC-AP-DOWN/AP*"
| table AP_NAME, Time,downtime,

 

OUTPUT 1: 

AP_NAMETimeTicket_ID
AP64123/6/2021 19:11INC00001
AP64123/6/2021 18:45INC00002
AW3/6/2021 17:08INC00003
AE3/6/2021 16:29INC00004
AP64123/6/2021 15:15INC00005
AR3/6/2021 14:31INC00006

 

CODE 2:  

 

index=moogsoft_e2e
| table AP_NAME, Time,Ticket_ID,

 

OUTPUT 2: 

AP_NAMETimedowntime
AP64123/6/2021 19:114:18:55
AB3/6/2021 18:021:21:25
AC3/6/2021 17:081:23:45
AP64123/6/2021 10:127:45:23
AP64123/6/2021 15:152:21:34
AE3/6/2021 14:318:12:23

 

Expected final output Table :

AP_NAMETimeTicket_IDdowntime
AP64123/6/2021 19:11INC000014:18:55
AP64123/6/2021 15:15INC000052:21:34

 

I want both AP_NAME & Time  to match the Ticket_ID & downtime.  

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎03-06-2021 09:24 AM

Try this

(index=opennms "Cisco-WLC-AP-DOWN/AP*") OR index=moogsoft_e2e
| stats values(*) as * by AP_NAME, downtime
| table AP_NAME, Time,Ticket_ID, downtime
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...