Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Combine data from 2 indexes

hvdtol
Path Finder
‎08-26-2021 03:01 AM

Hi,

I am trying to combine data from 2 indexen, but i find it hard to do.
I tried several stats values command, but that  did not gave me the solution
This is my source:

collection        hostname        stage          stagedata
                                                        st1               A1234;DEF
                                                        st1               A3456;XYZ
                                                        st2                A7890;XYZ
                                                        st3                B1234;ABC
COLLA               h1                     st1
COLLA              h2                     st1
COLLB              h3                      st2
COLLB              h4                      st2
COLLC             h5                       st1
COLLD              h6                       st3


An this is what i am trying to accomplice:

collection hostname            stage     stagedata
COLLA       h1                           st1          A1234;DEF
                                                                      A3456;XYZ
COLLA       h2                           st1          A1234;DEF
                                                                      A3456;XYZ
COLLB      h3                           st2           A7890;XYZ
COLLB     h4                            st2           A7890;XYZ
COLLC    h5                             st1           A1234;DEF
                                                                       A3456;XYZ
COLLD     h6                           st3            B1234;ABC

Any help would be appreciated.

Regards,

Harry

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

hvdtol
Path Finder
‎08-26-2021 03:34 AM

Aah, the trick is to combine fields....
Of course. Very smart.

Thank you very much.

Regards,

Harry

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

hvdtol
Path Finder
‎08-26-2021 03:34 AM

Aah, the trick is to combine fields....
Of course. Very smart.

Thank you very much.

Regards,

Harry

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-26-2021 04:11 AM

Please can you mark the solution as the solution rather than your response to the solution?

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-26-2021 03:17 AM 
| makeresults 
| eval _raw="collection,hostname,stage,stagedata
,,st1,A1234;DEF
,,st1,A3456;XYZ
,,st2,A7890;XYZ
,,st3,B1234;ABC
COLLA,h1,st1
COLLA,h2,st1
COLLB,h3,st2
COLLB,h4,st2
COLLC,h5,st1
COLLD,h6,st3"
| multikv forceheader=1
| table collection hostname stage stagedata



| eval collectionhost=collection."!".hostname
| fields - collection hostname
| stats values(*) as * by stage
| stats values(*) as * by collectionhost stage
| eval collection=mvindex(split(collectionhost,"!"),0)
| eval hostname=mvindex(split(collectionhost,"!"),1)
| table collection hostname stage stagedata
0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...