Splunk Search

How to combine result of two query where there is common field after renaming .

shyambiswal
New Member

Hi All,  I have two query as below. 

 index is same, where as sourcetype and source is different on both query.

There is field call "Vserver"( After rename )  and "host" whose value  is same on both the query. This field can be taken as a reference for both the query.

I want to combine the result of the both the query  so that, I can have  query-2  "vol_count"  output in query-1 table output. 

 

can anyone please help me . 

Thanks and Regards

Shyam

query-1 :- 

index=infra_netapp sourcetype="ontap:vserver" source="vserver-get-iter" | rename vserver-name AS Vserver
| dedup Vserver
| regex Vserver="^([a-zA-Z]+)-([a-z]{0,2})([1-9]{1,2})pri(\d{1,4})" 
| eval VserverCatagory=case(
match(Vserver, "^([a-zA-Z]+)-([a-z]{0,2})HD(\d{1,4})"),
"Home",
match(Vserver,"^([a-zA-Z]+)-([a-z]{0,2})GD(\d{1,4})"),
"GD",
match(Vserver,"^([a-zA-Z]+)-([a-z]{0,2})AD(\d{1,4})"),
"AD",
match(Vserver,"^([a-zA-Z]+)-([a-z]{0,2})UD(\d{1,4})"),
"UD",
1==1,"Unknown")
| table host, Vserver,vserver-type,state,VserverCatagory,operational-state

 

Query-2 :- 

index=infra_netapp sourcetype="ontap:volume" source="volume-get-iter" | rename volume-id-attributes.name as Volume, volume-id-attributes.owning-vserver-name as Vserver
| regex Vserver="^([a-zA-Z]+)-([a-z]{0,2})([1-9]{1,2})pri(\d{1,4})"
| stats dc(Volume) AS vol_count BY host, Vserver

 

Labels (4)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

How about something like this:

index=infra_netapp (sourcetype="ontap:volume" AND source="volume-get-iter") OR (sourcetype="ontap:vserver" AND source="vserver-get-iter")
| eval Vserver=coalesce(vserver-name, volume-id-attributes.owning-vserver-name)
| regex Vserver="^([a-zA-Z]+)-([a-z]{0,2})([1-9]{1,2})pri(\d{1,4})"
| stats values(host) as host values(vserver-type) as vserver-type values(state) as state values(operational-state) as operational-state dc(volume-id-attributes.name) as vol_count by Vserver
| eval VserverCatagory=case(
match(Vserver, "^([a-zA-Z]+)-([a-z]{0,2})HD(\d{1,4})"),
"Home",
match(Vserver,"^([a-zA-Z]+)-([a-z]{0,2})GD(\d{1,4})"),
"GD",
match(Vserver,"^([a-zA-Z]+)-([a-z]{0,2})AD(\d{1,4})"),
"AD",
match(Vserver,"^([a-zA-Z]+)-([a-z]{0,2})UD(\d{1,4})"),
"UD",
1==1,"Unknown")
0 Karma

shyambiswal
New Member

Hi @ITWhisperer  ,  thanks for replying with query. 

when I use that, I got the volume count, but other value of below is not coming.

values(vserver-type) as vserver-type values(state) as state values(operational-state) as operational-state

 

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...