Splunk Search

How to add a field to an event, based on a field from another event.

adamsmith47
Communicator

I feel like I'm having a brain dead moment. I've been scratching my head over this one...

Essentially, I want to perform a lookup command using the current events in my results. I realize I could generate a lookup table first, then perform my search using that lookup table, but that would complicate several aspects of a process I'm building which I would like to avoid.

Example:

<... my_search>
| table employeeID employeeName managerID

with results...

employeeID     employeeName     managerID
000001         Doe, John        000002
000002         Doe, Jane        000003
000003         Bossman, Mr.     -

I would like to create another field managerName, which looks at the current results of <... my_search>, finds where an employeeID matches a managerID, and reads employeeName as managerName. So I could get:

 <... my_search>
 | table employeeID employeeName managerID managerName

with results like...

employeeID     employeeName     managerID     managerName
000001         Doe, John        000002        Doe, Jane
000002         Doe, Jane        000003        Bossman, Mr.
000003         Bossman, Mr.     -             -

Any help is greatly appreciated!

Thanks.

0 Karma
1 Solution

elliotproebstel
Champion

I think this should work for you:

your current search
| join type=outer managerID
 [ your current search
 | fields employeeID employeeName
 | rename employeeName AS managerName
 | rename employeeID AS managerID ]

View solution in original post

elliotproebstel
Champion

I think this should work for you:

your current search
| join type=outer managerID
 [ your current search
 | fields employeeID employeeName
 | rename employeeName AS managerName
 | rename employeeID AS managerID ]
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...