Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Combine two columns in a table from two separate searches (where one is a subset of the other)

splunkuser2127
Loves-to-Learn
‎05-01-2020 07:50 AM

I'm currently running the query (changed to a dog-themed query) where I want to join two logs together by the Dog's name and end up getting the dog's id:

search "something within logs" | join dog_name_field [search "Dogs Name: "]| table "dog_id"

I want another column in the table, which is a subset of the results of the above search, where I get a true or false on whether or not that id belongs to a Golden Retriever. To get the id's for the golden retrievers, I can do something like:

search "something within logs" | join dog_name_field[search "Dogs Name: " AND "Golden Retriever"]| table "dog_id"

How do I get the ids of all the dogs and have another column saying whether or not that dogs is a golden retriever efficiently.

Tags (2)
0 Karma
Reply

renjith_nair
Legend
‎05-03-2020 09:33 PM

@splunkuser2127 ,

If the dog name is a common field in both searches , try below

Let's say search1 includes index1 and search2 includes index2 

index=1 OR index=2 |stats values(dog_id) as dog_id , dc(index) as count by dogs_name
|where count >1

This should give you the common records from both search

Add additional field

    index=1 OR index=2 |stats values(dog_id) as dog_id , dc(index) as count by dogs_name
    |where count >1
    |eval  is_golden_retriever=if(dogs_name=="Golden Retriever","True","False")
---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply

splunkuser2127
Loves-to-Learn
‎05-04-2020 07:34 AM

This is helpful, but the dog_name can't be golden retriever, the word "Golden retriever" just might be found in the second search's log

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...