How to combain two rex

VRP136 · ‎10-09-2024

I have two rex queries and want know how to combine

Query : 1

index=test1 sourcetype=teams
| search "osversion="
| rex field=_raw "\s+(?<osVersion>.*?)$"
| table Time(utc) "OSVersion"

output :

time osversion
1.1 123
1.2 1234
1.3 12345
1.4 123456

Query : 2

index=test1 sourcetype=teams
| search "host=12*
| rex field=_raw "\w+(?<host>*)$"
| table Time(utc) "OSVersion"

output :

time host
1.1 abc
1.2 abcd
1.3 abcde

Pls help me how to combine above queries and should show table like below

time osversion host
1.1 123 abc
1.2 1234 abcd
1.3 12345 abcde

richgalloway · ‎10-09-2024

The queries can be combined like this.

index=test1 sourcetype=teams ("osversion=" OR "host=12*")
| rex field=_raw "\s+(?<osVersion>.*?)$"
| rex field=_raw "\w+(?<host>*)$"
| table Time(utc) "OSVersion" host

That will give you lists of OSVersions and hosts separately, but in a single table. Then you should compare the time values to see if OSVersion and host are in events with the timestamp so they can be merged. If so, then this query will do it.

index=test1 sourcetype=teams ("osversion=" OR "host=12*")
| rex field=_raw "\s+(?<osVersion>.*?)$"
| rex field=_raw "\w+(?<host>*)$"
| stats values(*) as * by "Time(utc)"
| table "Time(utc)" "OSVersion" host

---
If this reply helps you, Karma would be appreciated.

How to combain two rex

rex

Feel the Splunk Love: Real Stories from Real Customers

Data Management Digest – November 2025

Splunk Mobile: Your Brand-New Home Screen

Are you a member of the Splunk Community?

How to combain two rex

rex

Feel the Splunk Love: Real Stories from Real Customers

Data Management Digest – November 2025

Splunk Mobile: Your Brand-New Home Screen