Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Common Field in Two Different Indexes
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ryanprayacn
Explorer
09-26-2017
07:25 PM
I have two indexes that I can successfully join via stats. However, both indexes have a common field named "STATUS". I want to be able to separate the STATUS field into STATUS1 and STATUS2 before the join - so I can see both. I have left out STATUS below but showing successful join SPL below:
index=customertest OR index=valuetest | stats values(Spend) as spend values(Order) as order by Customer | fillnull value=NULL | mvexpand spend | sort Customer
Any recommendations?
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
DalJeanis
Legend
09-26-2017
08:43 PM
Try this...
index=customertest OR index=valuetest
| eval Status1=case(index="customertest", Status)
| eval Status2=case(index="valuetest", Status)
| stats values(Spend) as spend values(Order) as order values(Status*) as Status* by Customer
| fillnull value=NULL
| mvexpand spend
| sort Customer
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
DalJeanis
Legend
09-26-2017
08:43 PM
Try this...
index=customertest OR index=valuetest
| eval Status1=case(index="customertest", Status)
| eval Status2=case(index="valuetest", Status)
| stats values(Spend) as spend values(Order) as order values(Status*) as Status* by Customer
| fillnull value=NULL
| mvexpand spend
| sort Customer
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ryanprayacn
Explorer
09-27-2017
05:20 AM
Thanks this worked!
Related Topics
Get Updates on the Splunk Community!
New Year, New Changes for Splunk Certifications
As we embrace a new year, we’re making a small but important update to the Splunk Certification ...
[Puzzles] Solve, Learn, Repeat: Unmerging HTML Tables
[Puzzles] Solve, Learn, Repeat: Unmerging HTML TablesFor a previous puzzle, I needed some sample data, and ...
Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...
As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...
