Solved: Re: Dealing with multiple fields from different so...

Kavey · ‎04-25-2016

Hi,

here is my problem : I have a sourcetype A with a field X and Z and a sourcetype B with a field Y and Z. The thing I would like to do is using the field X and Z of sourcetype A and field Y of sourcetype B.

What is the simplest way to achieve this?

Thank you in advance for helping me 🙂

HeinzWaescher · ‎04-25-2016

You could use a field aliases for sourcetype B and rename fields, so that they don't have same names across your sourcetypes.

settings -> fields -> field aliases

View solution in original post

javiergn · ‎04-25-2016

Another way to easily differentiate field names dynamically is by using the following syntax:

| eval yourfieldname-{sourcetype} = yourfieldname

For instance, if you have a field Z in both sourcetype A and sourcetype B, you could do the following:

| eval fieldZ-{sourcetype} = fieldZ

And Splunk will dynamically create the following two fields for you based on the value of your sourcetype:

fieldZ-sourcetypeA
fieldZ-sourcetypeB

If there were more sourcetypes added later on this would still work.
Hope that helps.

Kavey · ‎04-25-2016

Thanks, that method helped too! 🙂

HeinzWaescher · ‎04-25-2016

You could use a field aliases for sourcetype B and rename fields, so that they don't have same names across your sourcetypes.

settings -> fields -> field aliases

Kavey · ‎04-25-2016

Thank you I didn't know about that feature it is indeed what I was looking for. However is there any other way to do this simply within the query ?

HeinzWaescher · ‎04-25-2016

You could also use eval & if to target specific sourcetypes

Like here in a stats command

... | stats sum(eval(if(sourcetype="A", Z, null()))) AS result

This sums up all values for Z if sourcetype="A"

Kavey · ‎04-25-2016

I didn't choose that method but it is a way to achieve what I want, thank you

ctaf · ‎04-25-2016

How about creating a field alias of the field Y of the sourcetype B?
Then it would have a different name and you will be able to do what you want.

ktugwell_splunk · ‎04-25-2016

Hey Kavey,

Take a look at the append command
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Append

You could do a subsearch to retrieve Z from sourcetype B.

Kavey · ‎04-25-2016

Hi, thanks for replying!

I already thought about it but I would like not to use a subsearch since it will affect the performance... Moreover the number of events that could be returned might be big

ktugwell_splunk · ‎04-25-2016

How about using eval to generate a new field identifying which sourcetype the data comes from?

... | eval Z1=IF(sourcetype=A, Z, NULL) | eval Z2=IF(sourcetype=B, Z, NULL)

Will that work for you?

Dealing with multiple fields from different sourcetype that have the same name

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?