Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Given two sourcetypes, how to do you extract data from one sourcetype to another?

zuokun
New Member
‎11-07-2016 12:58 AM

Newbie here, would appreciate if anyone can help to answer this little question.

I have two sourcetypes, A and B.

A and B contains different types of data, but have a column called 'ID' that allows them to be linked.

If I want to do something like a lookup from A on B, or to extract a column from B and place it in A based on ID, how do I go about doing so?

For example, based on the type of a particular job (in sourcetype A), I want to retrieve the duration taken to complete the job (in source type B)

The idea is to based on the type of A, look for the ID of the job, then do something like a lookup on B based on the ID column, then retrieve the time taken, here's what I've tried.

sourcetype=A
| join type=left ID [search sourcetype=B elasped_time]
| eval result = IF(Type = "ongoing" OR Type = "finished", elapsed_time, "-")
| table result

I've tried join type =inner/outer/left, append, selfjoin, but none of them works for me. I tried lookup but I can't do a lookup for sourcetype, can i?

Can someone give a helping hand?

Thanks in advance.

0 Karma
Reply

somesoni2
Revered Legend
‎11-07-2016 07:57 AM

Try like this

sourcetype=A OR sourcetype=B
| stats values(Type) as Type values(elapsed_time) as elapsed_time by ID
| eval result = IF(Type = "ongoing" OR Type = "finished", elapsed_time, "-")
| table result
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...