Re: How do I join different events on an ID with ...

nikosattlermhp · ‎10-24-2018

Hello everybody,

I have many messages with two different source types and an ID and a information field. For every ID, there is one message from source 1 and one from source 2. I need to display to every ID the information field of both source types:

Example:

ID | Source 1 | Source 2 |

If there is no second event to an ID from the other source, "null" should be displayed.

How can I perform this join/combination?

My try:

index=myindex source1 | table id, infofield1 | join type=outer [search index=myindex source2 |table id, infofield2]

Thank you in advance!

richgalloway · ‎10-24-2018

Here's something to try.

index=myindex (source1 OR source2) | stats values(infofield1) as infofield1 values(infofield2) as infofield2 by id | fillnull infofield2

---
If this reply helps you, Karma would be appreciated.

How do I join different events on an ID with different source types?

ID | Source 1 | Source 2 |

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation

How do I join different events on an ID with different source types?

ID | Source 1 | Source 2 |

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future