How can I search across two sourcetypes for matchi...

vkrishnachand · ‎11-29-2017

Hi

I have one index with two sourcetypes: S1 and S2. In sourcetype S1 I have fields A, B, C and in sourcetype S2 I have fields D, E, F.

The values in B field will sometimes be equal to values in E field, where if they are equal my final output should be in form of table with fields A,B,C,D,E,F.

Please help on the same.

vkrishnachand · ‎11-29-2017

Hi

thanks for this. I should display the result in a table something like a table with all the fields combined to gether something like table A B C D E F. how to do this.

jplumsdaine22 · ‎11-29-2017

If B & E are unique identifiers that are the same, you could do something like this:

index=A (sourcetype=S1 OR sourcetype=S2) 
| eval G=coalesce(B,E) 
| stats values(A) as A values(C) as C values(D) as D values(F) as F by G

vkrishnachand · ‎11-29-2017

Hi

thanks for this. I should display the result in a table something like a table with all the fields combined to gether something like table A B C D E F. how to do this.

jplumsdaine22 · ‎11-29-2017

That search should do it. You can rearrange the fields like this if you want:

 | fields A G C D F

(don't forget we made G the value of B or E)

How can I search across two sourcetypes for matching fields and output a table with matching results?

Aligning Observability Costs with Business Value: Practical Strategies

Mastering Data Pipelines: Unlocking Value with Splunk

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Are you a member of the Splunk Community?

How can I search across two sourcetypes for matching fields and output a table with matching results?

Aligning Observability Costs with Business Value: Practical Strategies

Mastering Data Pipelines: Unlocking Value with Splunk

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0