Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Combine two separate indexes based on any permutation of the matching ID fields

eyeglassescase
Observer
‎05-30-2024 08:42 AM

Hi Splunk Community,

 

I need help to write a Splunk query to join two different indexes using any Splunk command that will satisfy the logic noted below.

 

Two separate ID fields in Index 2 must match two separate ID fields in Index 1 using any permutation of index 2’s three ID fields. Here is an outline of the logic below.

 

Combine index 1 record with index 2 record into a single record when any matching condition is satisfied below:

(ID_1_A=ID_2_A AND ID_1_B=ID_2_B)

OR

(ID_1_A=ID_2_A AND ID_1_B=ID_2_C)

OR

(ID_1_A=ID_2_B AND ID_1_B=ID_2_A)

OR

(ID_1_A=ID_2_B AND ID_1_B=ID_2_C)

OR

(ID_1_A=ID_2_C AND ID_1_B=ID_2_A)

OR

(ID_1_A=ID_2_C AND ID_1_B=ID_2_B)

Sample Data:

 

Index 1:

-----------------------

|ID_1_A |ID_1_B|

------------------------

|123       |345      |

------------------------

| 345      |123      |

------------------------

 

Index 2:

________________________

|ID_2_A   | ID_2_B   | ID_2_C|

----------------------------------------

|123         |345           |999       |

----------------------------------------

|123         |999           |345       |

----------------------------------------

|345         |123            |999      |

----------------------------------------

|999         |123           | 345       |

----------------------------------------

| 345       | 999           |123        |

----------------------------------------

 

Any help would be greatly appreciated.

 

Thanks.

 

Labels (4)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-30-2024 09:22 AM 
| eval correlation1=coalesce(ID_1_A, ID_2_A)
| eval correlation2=coalesce(ID_1_B, ID_2_B)
| eventstats values(index1data) as index1data, values(index2data) as index2data by correlation1 correlation2
| eval correlation1=coalesce(ID_1_A, ID_2_A)
| eval correlation2=coalesce(ID_1_B, ID_2_C)
| eventstats values(index1data) as index1data, values(index2data) as index2data by correlation1 correlation2
| eval correlation1=coalesce(ID_1_A, ID_2_B)
| eval correlation2=coalesce(ID_1_B, ID_2_A)
| eventstats values(index1data) as index1data, values(index2data) as index2data by correlation1 correlation2
| eval correlation1=coalesce(ID_1_A, ID_2_B)
| eval correlation2=coalesce(ID_1_B, ID_2_C)
| eventstats values(index1data) as index1data, values(index2data) as index2data by correlation1 correlation2
| eval correlation1=coalesce(ID_1_A, ID_2_C)
| eval correlation2=coalesce(ID_1_B, ID_2_A)
| eventstats values(index1data) as index1data, values(index2data) as index2data by correlation1 correlation2
| eval correlation1=coalesce(ID_1_A, ID_2_C)
| eval correlation2=coalesce(ID_1_B, ID_2_B)
| eventstats values(index1data) as index1data, values(index2data) as index2data by correlation1 correlation2
0 Karma
Reply
Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

New Release | Splunk Cloud Platform 10.1.2507

Hello Splunk Community!We are thrilled to announce the General Availability of Splunk Cloud Platform 10.1.2507 ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

🗣 You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...