Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to add a field to an event, based on a field from another event.

adamsmith47
Communicator
‎04-18-2018 10:16 AM

I feel like I'm having a brain dead moment. I've been scratching my head over this one...

Essentially, I want to perform a lookup command using the current events in my results. I realize I could generate a lookup table first, then perform my search using that lookup table, but that would complicate several aspects of a process I'm building which I would like to avoid.

Example:

<... my_search>
| table employeeID employeeName managerID

with results...

employeeID     employeeName     managerID
000001         Doe, John        000002
000002         Doe, Jane        000003
000003         Bossman, Mr.     -

I would like to create another field managerName, which looks at the current results of <... my_search>, finds where an employeeID matches a managerID, and reads employeeName as managerName. So I could get:

 <... my_search>
 | table employeeID employeeName managerID managerName

with results like...

employeeID     employeeName     managerID     managerName
000001         Doe, John        000002        Doe, Jane
000002         Doe, Jane        000003        Bossman, Mr.
000003         Bossman, Mr.     -             -

Any help is greatly appreciated!

Thanks.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

elliotproebstel
Champion
‎04-18-2018 10:32 AM

I think this should work for you:

your current search
| join type=outer managerID
 [ your current search
 | fields employeeID employeeName
 | rename employeeName AS managerName
 | rename employeeID AS managerID ]

View solution in original post

Reply
Solved! Jump to solution
Solution

elliotproebstel
Champion
‎04-18-2018 10:32 AM

I think this should work for you:

your current search
| join type=outer managerID
 [ your current search
 | fields employeeID employeeName
 | rename employeeName AS managerName
 | rename employeeID AS managerID ]
Reply
Get Updates on the Splunk Community!

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...

Index This | What goes away as soon as you talk about it?

May 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this month’s ...

What's New in Splunk Observability Cloud and Splunk AppDynamics - May 2025

This month, we’re delivering several new innovations in Splunk Observability Cloud and Splunk AppDynamics ...
li.common.scroll-to.top