Solved: Common Field in Two Different Indexes

ryanprayacn · ‎09-26-2017

I have two indexes that I can successfully join via stats. However, both indexes have a common field named "STATUS". I want to be able to separate the STATUS field into STATUS1 and STATUS2 before the join - so I can see both. I have left out STATUS below but showing successful join SPL below:

index=customertest OR index=valuetest | stats values(Spend) as spend values(Order) as order by Customer | fillnull value=NULL | mvexpand spend | sort Customer

Any recommendations?

DalJeanis · ‎09-26-2017

Try this...

index=customertest OR index=valuetest 
| eval Status1=case(index="customertest", Status)
| eval Status2=case(index="valuetest", Status)
| stats values(Spend) as spend values(Order) as order values(Status*) as Status* by Customer 
| fillnull value=NULL 
| mvexpand spend 
| sort Customer

View solution in original post

DalJeanis · ‎09-26-2017

Try this...

index=customertest OR index=valuetest 
| eval Status1=case(index="customertest", Status)
| eval Status2=case(index="valuetest", Status)
| stats values(Spend) as spend values(Order) as order values(Status*) as Status* by Customer 
| fillnull value=NULL 
| mvexpand spend 
| sort Customer

ryanprayacn · ‎09-27-2017

Thanks this worked!

Common Field in Two Different Indexes

Developer Spotlight with Paul Stout

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

Data-Driven Success: Splunk & Financial Services