Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to add a field to an event, based on a field from another event.

adamsmith47
Communicator
‎04-18-2018 10:16 AM

I feel like I'm having a brain dead moment. I've been scratching my head over this one...

Essentially, I want to perform a lookup command using the current events in my results. I realize I could generate a lookup table first, then perform my search using that lookup table, but that would complicate several aspects of a process I'm building which I would like to avoid.

Example:

<... my_search>
| table employeeID employeeName managerID

with results...

employeeID     employeeName     managerID
000001         Doe, John        000002
000002         Doe, Jane        000003
000003         Bossman, Mr.     -

I would like to create another field managerName, which looks at the current results of <... my_search>, finds where an employeeID matches a managerID, and reads employeeName as managerName. So I could get:

 <... my_search>
 | table employeeID employeeName managerID managerName

with results like...

employeeID     employeeName     managerID     managerName
000001         Doe, John        000002        Doe, Jane
000002         Doe, Jane        000003        Bossman, Mr.
000003         Bossman, Mr.     -             -

Any help is greatly appreciated!

Thanks.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

elliotproebstel
Champion
‎04-18-2018 10:32 AM

I think this should work for you:

your current search
| join type=outer managerID
 [ your current search
 | fields employeeID employeeName
 | rename employeeName AS managerName
 | rename employeeID AS managerID ]

View solution in original post

Reply
Solved! Jump to solution
Solution

elliotproebstel
Champion
‎04-18-2018 10:32 AM

I think this should work for you:

your current search
| join type=outer managerID
 [ your current search
 | fields employeeID employeeName
 | rename employeeName AS managerName
 | rename employeeID AS managerID ]
Reply
Get Updates on the Splunk Community!

Changes to Splunk Instructor-Led Training Completion Criteria

We’re excited to share an update to our instructor-led training program that enhances the learning experience ...

Stay Connected: Your Guide to January Tech Talks, Office Hours, and Webinars!

❄️ Welcome the new year with our January lineup of Community Office Hours, Tech Talks, and Webinars! &#x1f389; ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...