Solved: Re: Dealing with multiple fields from different so...

Kavey · ‎04-25-2016

Hi,

here is my problem : I have a sourcetype A with a field X and Z and a sourcetype B with a field Y and Z. The thing I would like to do is using the field X and Z of sourcetype A and field Y of sourcetype B.

What is the simplest way to achieve this?

Thank you in advance for helping me 🙂

HeinzWaescher · ‎04-25-2016

You could use a field aliases for sourcetype B and rename fields, so that they don't have same names across your sourcetypes.

settings -> fields -> field aliases

View solution in original post

javiergn · ‎04-25-2016

Another way to easily differentiate field names dynamically is by using the following syntax:

| eval yourfieldname-{sourcetype} = yourfieldname

For instance, if you have a field Z in both sourcetype A and sourcetype B, you could do the following:

| eval fieldZ-{sourcetype} = fieldZ

And Splunk will dynamically create the following two fields for you based on the value of your sourcetype:

fieldZ-sourcetypeA
fieldZ-sourcetypeB

If there were more sourcetypes added later on this would still work.
Hope that helps.

Kavey · ‎04-25-2016

Thanks, that method helped too! 🙂

HeinzWaescher · ‎04-25-2016

You could use a field aliases for sourcetype B and rename fields, so that they don't have same names across your sourcetypes.

settings -> fields -> field aliases

Kavey · ‎04-25-2016

Thank you I didn't know about that feature it is indeed what I was looking for. However is there any other way to do this simply within the query ?

HeinzWaescher · ‎04-25-2016

You could also use eval & if to target specific sourcetypes

Like here in a stats command

... | stats sum(eval(if(sourcetype="A", Z, null()))) AS result

This sums up all values for Z if sourcetype="A"

Kavey · ‎04-25-2016

I didn't choose that method but it is a way to achieve what I want, thank you

ctaf · ‎04-25-2016

How about creating a field alias of the field Y of the sourcetype B?
Then it would have a different name and you will be able to do what you want.

ktugwell_splunk · ‎04-25-2016

Hey Kavey,

Take a look at the append command
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Append

You could do a subsearch to retrieve Z from sourcetype B.

Kavey · ‎04-25-2016

Hi, thanks for replying!

I already thought about it but I would like not to use a subsearch since it will affect the performance... Moreover the number of events that could be returned might be big

ktugwell_splunk · ‎04-25-2016

How about using eval to generate a new field identifying which sourcetype the data comes from?

... | eval Z1=IF(sourcetype=A, Z, NULL) | eval Z2=IF(sourcetype=B, Z, NULL)

Will that work for you?

Dealing with multiple fields from different sourcetype that have the same name

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Index This | What travels the world but is also stuck in place?

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

Join the Conversation