- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Combine data from 2 indexes
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I am trying to combine data from 2 indexen, but i find it hard to do.
I tried several stats values command, but that did not gave me the solution
This is my source:
collection hostname stage stagedata
st1 A1234;DEF
st1 A3456;XYZ
st2 A7890;XYZ
st3 B1234;ABC
COLLA h1 st1
COLLA h2 st1
COLLB h3 st2
COLLB h4 st2
COLLC h5 st1
COLLD h6 st3
An this is what i am trying to accomplice:
collection hostname stage stagedata
COLLA h1 st1 A1234;DEF
A3456;XYZ
COLLA h2 st1 A1234;DEF
A3456;XYZ
COLLB h3 st2 A7890;XYZ
COLLB h4 st2 A7890;XYZ
COLLC h5 st1 A1234;DEF
A3456;XYZ
COLLD h6 st3 B1234;ABC
Any help would be appreciated.
Regards,
Harry
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Aah, the trick is to combine fields....
Of course. Very smart.
Thank you very much.
Regards,
Harry
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Aah, the trick is to combine fields....
Of course. Very smart.
Thank you very much.
Regards,
Harry
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please can you mark the solution as the solution rather than your response to the solution?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| makeresults
| eval _raw="collection,hostname,stage,stagedata
,,st1,A1234;DEF
,,st1,A3456;XYZ
,,st2,A7890;XYZ
,,st3,B1234;ABC
COLLA,h1,st1
COLLA,h2,st1
COLLB,h3,st2
COLLB,h4,st2
COLLC,h5,st1
COLLD,h6,st3"
| multikv forceheader=1
| table collection hostname stage stagedata
| eval collectionhost=collection."!".hostname
| fields - collection hostname
| stats values(*) as * by stage
| stats values(*) as * by collectionhost stage
| eval collection=mvindex(split(collectionhost,"!"),0)
| eval hostname=mvindex(split(collectionhost,"!"),1)
| table collection hostname stage stagedata
Infographic provides the TL;DR for the 2023 Splunk Career Impact Report
Splunk Lantern | Getting Started with Edge Processor, Machine Learning Toolkit ...
Enterprise Security Content Update (ESCU) | New Releases
