Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to add a field to an event, based on a field from another event.

adamsmith47
Communicator
‎04-18-2018 10:16 AM

I feel like I'm having a brain dead moment. I've been scratching my head over this one...

Essentially, I want to perform a lookup command using the current events in my results. I realize I could generate a lookup table first, then perform my search using that lookup table, but that would complicate several aspects of a process I'm building which I would like to avoid.

Example:

<... my_search>
| table employeeID employeeName managerID

with results...

employeeID     employeeName     managerID
000001         Doe, John        000002
000002         Doe, Jane        000003
000003         Bossman, Mr.     -

I would like to create another field managerName, which looks at the current results of <... my_search>, finds where an employeeID matches a managerID, and reads employeeName as managerName. So I could get:

 <... my_search>
 | table employeeID employeeName managerID managerName

with results like...

employeeID     employeeName     managerID     managerName
000001         Doe, John        000002        Doe, Jane
000002         Doe, Jane        000003        Bossman, Mr.
000003         Bossman, Mr.     -             -

Any help is greatly appreciated!

Thanks.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

elliotproebstel
Champion
‎04-18-2018 10:32 AM

I think this should work for you:

your current search
| join type=outer managerID
 [ your current search
 | fields employeeID employeeName
 | rename employeeName AS managerName
 | rename employeeID AS managerID ]

View solution in original post

Reply
Solved! Jump to solution
Solution

elliotproebstel
Champion
‎04-18-2018 10:32 AM

I think this should work for you:

your current search
| join type=outer managerID
 [ your current search
 | fields employeeID employeeName
 | rename employeeName AS managerName
 | rename employeeID AS managerID ]
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...