Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How can I join 2 tables to create a new table with the given conditions?

gts_ame_tfo_cty
New Member
‎02-01-2018 07:18 AM

So this is what I want to do, and I don't know if Splunk can do this.

This is the result for Table A

Table A
hostA         brand
aaa          ios
bbb         nxos
ddd         metamako 
ccc          arista

This the result for table B

Table B
hostB            user
aaa-l1          user1
bbb-l1         user2
ddd-l1         user3 
ccc-l1           user4
kkk-l1          user5
klo-l1           user6

I want the join match TableA(hostA) with TableB(hostB) where like(hostB,"%"+hostA+"%")
and the result will be

 TableC
hostA            brand                    hostB            user
aaa                ios                          aaa-l1          user1
bbb               nxos                       bbb-l1         user2
ddd               metamako             ddd-l1         user3  
ccc                 arista                      ccc-l1           user4
0 Karma
Reply

niketn
Legend
‎02-01-2018 08:52 AM

@gts_ame_tfo_cty please share your query for Table A and Table B. Also make sure you use the Code Button 101010 on Splunk Answers while posting your queries so that special characters in them do not escape.

PS: Adding four spaces before each line of code will also format the entire content as code.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

493669
Super Champion
‎02-01-2018 08:52 AM

Hi @gts_ame_tfo_cty,
Try this:

<query> |  table hostA brand | rename hostA as host | join type=inner host [search <query>| rex field=hostB "(?<host>^[^\d]+\d+(\-\d+)*)" | table host user]

Let me know if it works!

0 Karma
Reply

493669
Super Champion
‎02-01-2018 08:14 AM

If you could share your exact host value so that accordingly field can be build which will use for join

0 Karma
Reply

gts_ame_tfo_cty
New Member
‎02-01-2018 08:27 AM

thanks you for the answer,

let me give you a real example

TableA
host
tor-rt-dist02-3
tor-rt-dist01
tor-rt-wan01-6
tor-rt-wan02
tor-rt-ext01
tor-rt-ext02

TableB
host
tor-rt-dist02-3-l0-6
tor-rt-dist01-l1-26
tor-rt-wan01-6-eth0
tor-rt-wan02-mgmt0

here is some of the hosts

0 Karma
Reply

FrankVl
Ultra Champion
‎02-01-2018 07:58 AM

If the actual data is as straight forward as your example, then you can just add a calculated field to table B with the truncated hostname and use that to join?

But given that you are asking for a like(hostB,"%"+hostA+"%") that seems to imply the actual case is more complex than your example?

0 Karma
Reply

gts_ame_tfo_cty
New Member
‎02-01-2018 08:12 AM

let me show you a real example

table A
host
tor-rt-dist02-03
tor-rt-dist01
tor-rt-wan01
tor-rt-wan02
tor-rt-ext01

tor-rt-ext02

TableB
host
tor-rt-dist02-03-l1
tor-rt-dist01-l1-3
tor-rt-wan01-l2-1
tor-rt-wan02-eth1-3

so as you can see with this example i cannot add truncated hostname and use that to join because sometime "tor-rt-wan01-l2-1" and sometime the hostname "tor-rt-wan02-eth1-3" so i cannot add a regex to extart and join.

is there any way to make it work ?

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...