Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Combine two columns in a table from two separate searches (where one is a subset of the other)

splunkuser2127
Loves-to-Learn
‎05-01-2020 07:50 AM

I'm currently running the query (changed to a dog-themed query) where I want to join two logs together by the Dog's name and end up getting the dog's id:

search "something within logs" | join dog_name_field [search "Dogs Name: "]| table "dog_id"

I want another column in the table, which is a subset of the results of the above search, where I get a true or false on whether or not that id belongs to a Golden Retriever. To get the id's for the golden retrievers, I can do something like:

search "something within logs" | join dog_name_field[search "Dogs Name: " AND "Golden Retriever"]| table "dog_id"

How do I get the ids of all the dogs and have another column saying whether or not that dogs is a golden retriever efficiently.

Tags (2)
0 Karma
Reply

renjith_nair
Legend
‎05-03-2020 09:33 PM

@splunkuser2127 ,

If the dog name is a common field in both searches , try below

Let's say search1 includes index1 and search2 includes index2 

index=1 OR index=2 |stats values(dog_id) as dog_id , dc(index) as count by dogs_name
|where count >1

This should give you the common records from both search

Add additional field

    index=1 OR index=2 |stats values(dog_id) as dog_id , dc(index) as count by dogs_name
    |where count >1
    |eval  is_golden_retriever=if(dogs_name=="Golden Retriever","True","False")
---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply

splunkuser2127
Loves-to-Learn
‎05-04-2020 07:34 AM

This is helpful, but the dog_name can't be golden retriever, the word "Golden retriever" just might be found in the second search's log

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...