Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How can we join two sourcetypes together that have a common field?

Hema_Nithya
Explorer
‎01-06-2017 07:09 AM

How can we join fields of two source types, when one field is the same in both source types?

0 Karma
Reply

cmerriman
Super Champion
‎01-06-2017 08:39 AM

try this.

index=itsm sourcetype=tsm_filespaces OR sourcetype=tsm_nodes|stats values(*) as * by node_name| dedup node_name,filespace_name | table node_name, platform_name, filespace_name,backup_end,host
0 Karma
Reply

Hema_Nithya
Explorer
‎01-06-2017 08:26 AM

yes , I used Join ... 

index=itsm sourcetype=tsm_filespaces |join node_name [search sourcetype=tsm_nodes] | dedup node_name,filespace_name | table node_name, platform_name, filespace_name,backup_end,host
0 Karma
Reply

somesoni2
Revered Legend
‎01-06-2017 11:00 AM

Do node_name and filespace_name fields available in same sourcetype (single) OR both sourcetypes?

0 Karma
Reply

niketn
Legend
‎01-06-2017 07:28 AM

There could be multiple ways

Easiest to do might be through transaction

sourcetype="srcType1" OR sourcetype="srcType2" commonField=*
| transaction commonField
| table _time, eventcount, duration, _raw

However, stats might perform better based on use case. You will have to use combinations of first(), last(), min(), max() or values() etc for various fields that you want to work on after correlation

sourcetype="srcType1" OR sourcetype="srcType2" commonField=*
| stats count as eventcount by commonField
| search eventcount>1

You can also use append, appendcols, appendpipe, join,lookup etc based on your needs.

Refer to the following event correlation documentation for deciding on your choice: http://docs.splunk.com/Documentation/Splunk/latest/Search/Abouteventcorrelation

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

niketn
Legend
‎01-06-2017 09:21 AM

As per your example

index=itsm sourcetype=tsm_filespaces  OR sourcetype=tsm_nodes node_name=* 
|stats values(filespacename) as filespacename values(platform_name) as platform_name values(backup_end) as backup_end values(host) as host by nodename
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

somesoni2
Revered Legend
‎01-06-2017 07:27 AM

There are various methods for it and which one will be best depends upon the output that you expect after joining them. Could you explain more on what is your end goal after joining those two sourcetype's data?

0 Karma
Reply

renjith_nair
Legend
‎01-06-2017 07:25 AM

Are you looking for something like 

(sourcetype=A OR sourcetype=B) commonfield=<value>

OR

(sourcetype=A OR sourcetype=B) |stats values(commonfield)
---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply

cmerriman
Super Champion
‎01-06-2017 07:22 AM

I want to make sure I understand.

You have Sourcetype A and Sourcetype B and both of them have Field X and you want to join these two sourcetypes together based on Field X?

0 Karma
Reply
Get Updates on the Splunk Community!

SOC4Kafka - New Kafka Connector Powered by OpenTelemetry

The new SOC4Kafka connector, built on OpenTelemetry, enables the collection of Kafka messages and forwards ...

Your Voice Matters! Help Us Shape the New Splunk Lantern Experience

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Building Momentum: Splunk Developer Program at .conf25

At Splunk, developers are at the heart of innovation. That’s why this year at .conf25, we officially launched ...