Combine two columns in a table from two separate s...

splunkuser2127 · ‎05-01-2020

I'm currently running the query (changed to a dog-themed query) where I want to join two logs together by the Dog's name and end up getting the dog's id:

search "something within logs" | join dog_name_field [search "Dogs Name: "]| table "dog_id"

I want another column in the table, which is a subset of the results of the above search, where I get a true or false on whether or not that id belongs to a Golden Retriever. To get the id's for the golden retrievers, I can do something like:

search "something within logs" | join dog_name_field[search "Dogs Name: " AND "Golden Retriever"]| table "dog_id"

How do I get the ids of all the dogs and have another column saying whether or not that dogs is a golden retriever efficiently.

renjith_nair · ‎05-03-2020

@splunkuser2127 ,

If the dog name is a common field in both searches , try below

Let's say search1 includes index1 and search2 includes index2

index=1 OR index=2 |stats values(dog_id) as dog_id , dc(index) as count by dogs_name
|where count >1

This should give you the common records from both search

Add additional field

    index=1 OR index=2 |stats values(dog_id) as dog_id , dc(index) as count by dogs_name
    |where count >1
    |eval  is_golden_retriever=if(dogs_name=="Golden Retriever","True","False")

Happy Splunking!

splunkuser2127 · ‎05-04-2020

This is helpful, but the dog_name can't be golden retriever, the word "Golden retriever" just might be found in the second search's log

Combine two columns in a table from two separate searches (where one is a subset of the other)

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk