Splunk Search

How to combine result of two query where there is common field after renaming .

shyambiswal
New Member

Hi All,  I have two query as below. 

 index is same, where as sourcetype and source is different on both query.

There is field call "Vserver"( After rename )  and "host" whose value  is same on both the query. This field can be taken as a reference for both the query.

I want to combine the result of the both the query  so that, I can have  query-2  "vol_count"  output in query-1 table output. 

 

can anyone please help me . 

Thanks and Regards

Shyam

query-1 :- 

index=infra_netapp sourcetype="ontap:vserver" source="vserver-get-iter" | rename vserver-name AS Vserver
| dedup Vserver
| regex Vserver="^([a-zA-Z]+)-([a-z]{0,2})([1-9]{1,2})pri(\d{1,4})" 
| eval VserverCatagory=case(
match(Vserver, "^([a-zA-Z]+)-([a-z]{0,2})HD(\d{1,4})"),
"Home",
match(Vserver,"^([a-zA-Z]+)-([a-z]{0,2})GD(\d{1,4})"),
"GD",
match(Vserver,"^([a-zA-Z]+)-([a-z]{0,2})AD(\d{1,4})"),
"AD",
match(Vserver,"^([a-zA-Z]+)-([a-z]{0,2})UD(\d{1,4})"),
"UD",
1==1,"Unknown")
| table host, Vserver,vserver-type,state,VserverCatagory,operational-state

 

Query-2 :- 

index=infra_netapp sourcetype="ontap:volume" source="volume-get-iter" | rename volume-id-attributes.name as Volume, volume-id-attributes.owning-vserver-name as Vserver
| regex Vserver="^([a-zA-Z]+)-([a-z]{0,2})([1-9]{1,2})pri(\d{1,4})"
| stats dc(Volume) AS vol_count BY host, Vserver

 

Labels (4)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

How about something like this:

index=infra_netapp (sourcetype="ontap:volume" AND source="volume-get-iter") OR (sourcetype="ontap:vserver" AND source="vserver-get-iter")
| eval Vserver=coalesce(vserver-name, volume-id-attributes.owning-vserver-name)
| regex Vserver="^([a-zA-Z]+)-([a-z]{0,2})([1-9]{1,2})pri(\d{1,4})"
| stats values(host) as host values(vserver-type) as vserver-type values(state) as state values(operational-state) as operational-state dc(volume-id-attributes.name) as vol_count by Vserver
| eval VserverCatagory=case(
match(Vserver, "^([a-zA-Z]+)-([a-z]{0,2})HD(\d{1,4})"),
"Home",
match(Vserver,"^([a-zA-Z]+)-([a-z]{0,2})GD(\d{1,4})"),
"GD",
match(Vserver,"^([a-zA-Z]+)-([a-z]{0,2})AD(\d{1,4})"),
"AD",
match(Vserver,"^([a-zA-Z]+)-([a-z]{0,2})UD(\d{1,4})"),
"UD",
1==1,"Unknown")
0 Karma

shyambiswal
New Member

Hi @ITWhisperer  ,  thanks for replying with query. 

when I use that, I got the volume count, but other value of below is not coming.

values(vserver-type) as vserver-type values(state) as state values(operational-state) as operational-state

 

0 Karma
Get Updates on the Splunk Community!

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...

[Live Demo] Watch SOC transformation in action with the reimagined Splunk Enterprise ...

Overwhelmed SOC? Splunk ES Has Your Back Tool sprawl, alert fatigue, and endless context switching are making ...

What’s New & Next in Splunk SOAR

Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us on ...