Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to coalesce three events

shimada-k
Explorer
‎06-06-2024 09:09 PM

Hi Experts,

I would like to create the following table from the three events. 

 

ipv4-entry_prefix           network-instance_name          interface
----------------------------------------------------------------------
1.1.1.0/24                  VRF_1001                       Ethernet48

 

Both event#1 and event#2 have "tags.next-hop-group" field and both event#2 and event#3 have "tags.index" field.All events are stored in the same index. I tried to write a proper SPL to achieve the above, but I couldn't. Could you please tell me how to achieve this?

 

- event#1
{
  "name": "fib",
  "timestamp": 1717571778600,
  "tags": {
    "ipv4-entry_prefix": "1.1.1.0/24",
    "network-instance_name": "VRF_1001",
    "next-hop-group": "1297036705567609741",
    "source": "r0",
    "subscription-name": "fib"
  }
}
- event#2
{
  "name": "fib",
  "timestamp": 1717572745136,
  "tags": {
    "index": "140400192798928",
    "network-instance_name": "VRF_1001",
    "next-hop-group": "1297036705567609741",
    "source": "r0",
    "subscription-name": "fib"
  },
  "values": {
    "index": "140400192798928"
  }
}
-event#3
{
  "name": "fib",
  "timestamp": 1717572818890,
  "tags": {
    "index": "140400192798928",
    "network-instance_name": "VRF_1001",
    "source": "r0",
    "subscription-name": "fib"
  },
  "values": {
    "interface": "Ethernet48"
  }

 

Many thanks,

Kenji

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎06-06-2024 09:41 PM

What about

 

| stats values(tags.ipv4-entry_prefix) as ipv4-entry_prefix values(tags.network-instance_name) as network-instance_name values(values.interface) as interface

 

or

 

| fields *.ipv4-entry_prefix *.network-instance_name *.interface
| stats values(*) as *

 

The latter will give

tags.ipv4-entry_prefixtags.network-instance_namevalues.interface
1.1.1.0/24VRF_1001Ethernet48

 

Tags (1)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-06-2024 09:26 PM

Hi @shimada-k ,

please try this:

index=your_index ("tags.next-hop-group"=* OR "tags.index"=*)
| rename 
     "tags.next-hop-group" AS tags_next_hop_group
     "tags.index" AS tags_index
     "ipv4-entry_prefix" AS ipv4_entry_prefix
     "network-instance_name" AS network_instance_name
| eva tags_index=coalesce(tags_index, tags_next_hop_group)
| stats 
     vaues(ipv4_entry_prefix) AS ipv4_entry_prefix
     values(network_instance_name) AS network_instance_name
     values(interface) AS interface
     BY tags_next_hop_group

in other words, you have to coalesce events with the fields "tags.next-hop-group" and "tags.index" and use it as key in a stats command.

I had to rename your fields because sometimes eval and stats commands doesn't correctly work when inside the field there are spaces, dots or minus char.

Ciao.

Giuseppe

0 Karma
Reply

shimada-k
Explorer
‎06-06-2024 11:49 PM

Hi gcusello,

Thanks for your prompt reply. I tried your solution. It's almost perfect, but interface field does not appear. I would appreciate it if you could give me an additional advice to resolve it.

index=gnmi ("tags.next-hop-group"=* OR "tags.index"=*)
| rename 
     "tags.next-hop-group" AS tags_next_hop_group
     "tags.index" AS tags_index
     "tags.ipv4-entry_prefix" AS ipv4_entry_prefix
     "tags.network-instance_name" AS network_instance_name
| eval tags_index=coalesce(tags_index, tags_next_hop_group)
| stats 
     values(ipv4_entry_prefix) AS ipv4_entry_prefix
     values(network_instance_name) AS network_instance_name
     values(tags.interface) AS interface
     BY tags_index
| sort ipv4_entry_prefix network_instance_name

Result

shimadak_1-1717742898702.png

Many thanks,

Kenji

 

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-07-2024 12:14 AM

Hi @shimada-k ,

sorry I mistyped the field name, probably the interface field name is different, probably its only "interface",

please see the exact field name and replace it in the search:

index=gnmi ("tags.next-hop-group"=* OR "tags.index"=*)
| rename 
     "tags.next-hop-group" AS tags_next_hop_group
     "tags.index" AS tags_index
     "tags.ipv4-entry_prefix" AS ipv4_entry_prefix
     "tags.network-instance_name" AS network_instance_name
| eval tags_index=coalesce(tags_index, tags_next_hop_group)
| stats 
     values(ipv4_entry_prefix) AS ipv4_entry_prefix
     values(network_instance_name) AS network_instance_name
     values(interface) AS interface
     BY tags_index
| sort ipv4_entry_prefix network_instance_name

Ciao.

Giuseppe

0 Karma
Reply

shimada-k
Explorer
‎06-07-2024 01:41 AM

Thanks again, gcusello. Much appreciated.

Do I need to add <"values.interface" AS interface> in rename, correct?

I executed the following query.

index=gnmi ("tags.next-hop-group"=* OR "tags.index"=*) earliest="06/07/2024:08:28:14"
| rename 
     "tags.next-hop-group" AS tags_next_hop_group
     "tags.index" AS tags_index
     "tags.ipv4-entry_prefix" AS ipv4_entry_prefix
     "tags.network-instance_name" AS network_instance_name
     "values.interface" AS interface
| eval tags_index=coalesce(tags_index, tags_next_hop_group)
| stats 
     values(ipv4_entry_prefix) AS ipv4_entry_prefix
     values(network_instance_name) AS network_instance_name
     values(interface) AS interface
     BY tags_index
| sort ipv4_entry_prefix network_instance_name

Then I received the following result.

shimadak_0-1717749393104.png

 

My expectation is that "Ethernet48" appears in 1st and 2nd line.

The data is as follows.

shimadak_1-1717749521252.png

 

shimadak_2-1717749557635.png

 

shimadak_3-1717749615189.png

 

Many thanks,

Kenji

 

 

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-07-2024 01:50 AM

Hi @shimada-k ,

Yes correct.

you don't have the interface field in all the events so you cannot display it in all raws.

Ciao.

Giuseppe

0 Karma
Reply

shimada-k
Explorer
‎06-07-2024 09:36 PM

OK. Thanks for you help, gcusello.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-09-2024 02:51 AM

Hi @shimada-k ,

good for you, see next time!

let us know if we can help you more, or, please, accept one answer for the other people of Community.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...