Splunk Search

How to combine data from 2 source types?

Mathanjey
Explorer

All,

I have 2 source types , one being XML and other being a trace log file events. I have a requirement to combine values from both. Sourcetype 1 : ITCM (trace log files) and for a given Locomotive number, go and find the events from Second source type and retrieve some info (example district name) and append to the column of the first . Basically I am displaying a table to show all the necessary fields from the first source type and just append a column with values from the second source type (based on the matching condition - locomotive number).

I was able to combine both the source types but hadn't been successful in appending the column values from the second source, basically I tried eval (if condition match), append cols etc.

Issues with eval(if condition match) - I can see the eval condition matches only for the events coming from second source type and doesn't equate to the events on first source type and output as below

Row #1 displays values from sourcetype1 col1(value=locomotive number), col2value, col3value,col4 =blank (districtname)
Row #2 displays values from sourcetype2 (col1value=locomotive number), blank (col2value), blank (col3value),districtname (col4value)

Bascially I wanted to get a result that shows one row for each event as below
col1(value=locomotive number), col2value, col3value, ,districtname

Thoughts/Suggestions please

Thanks
Mathan J

Tags (1)
0 Karma

somesoni2
Revered Legend

This is the general framework to achieve that

(Your base search 1 e.g. index=A sourcetypeA) OR (Your base search 2 e.g. index=B sourcetypeB) | stats values(Field1) as Field1  values(Field2) as Field2.... by commonField

Where Field1, Field2 are the fields, from both base searches, that you want to display and common field is the field common between those two searches.

0 Karma

jluo_splunk
Splunk Employee
Splunk Employee

Are the locomotive #'s stored as two separate fields (one for each sourcetype?) or are they stored under the same name?

If they're different..

sourcetype=src1 OR sourcetype=src2 | where locomotive1=locomotive2 | table locomotive1, col2, col3, districtname

If they're the same..

sourcetype=src1 OR sourcetype=src2 | transaction locomotive | table locomotive, col2, col3, districtname
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Think Like an Architect: Introducing the Splunk Certified Cybersecurity Defense ...

In cybersecurity, defenders respond to threats. Architects design the systems that stop them.    As ...

Best Practices: Splunk auto adjust pipeline queue

When you enable autoAdjustQueue in Splunk, maxSize should be understood as the queue size Splunk starts with ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...