Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to combine values from fields in different indexes using it to sort?

FGAnders
Explorer
‎06-06-2023 02:22 AM

Hi,

I'm trying to combine values from two different fields in two different indexes. But it seems to come up blank. Is there any other options like join to combine it and sort it after the combined values?

| multisearch
[search index=ABC UserID=* CheckEvent Alias=* ]
[search index=CDE UserID=* classifications=SuperUser AliasTest=true ]
| eval Combi = AliasTest." - ".Alias
| stats values(UserID) as UserID, list(Combi) as Combined, list(AliasTest) as AliasTest ,list(classifications) as classifications, list(Alias) as Alias, dc(UserID) as users by Combi

It works if I combine fields from same index, but not if I try and combine fields values from ABC and CDE indexes. 


Thank you,

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎06-06-2023 03:45 AM

Perhaps not strictly true, but it depends on your data.

For example, is you wanted to combine the first event from the first search with the first event from the second search, and the second event from the first search with the second event from the second search, and so on, you could use the appendcols command. This takes no account of the values in the events but may be this is good enough for your usecase?

View solution in original post

Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎06-06-2023 02:31 AM

Your issue is not so much the multisearch - you can avoid this by using:

(index=ABC UserID=* CheckEvent Alias=*) OR (index=CDE UserID=* classifications=SuperUser AliasTest=true)

The issue is that you (apparently) have events in the pipeline that you want to combine. In order to do this, you would need a field in the events from one index which matches values in a field from events in the other index. So, unless AliasTest and Alias appear in events from both indexes, and therefore Combi is valid for events in both indexes, the stats (or a join) will not be able to combine the values by Combi.

Reply
Solved! Jump to solution

FGAnders
Explorer
‎06-06-2023 03:28 AM

Hi,

 

Thank you for the fast reply.

Seems like its not possible then if the fields and values are unique in both events in the indexes.

 

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎06-06-2023 03:45 AM

Perhaps not strictly true, but it depends on your data.

For example, is you wanted to combine the first event from the first search with the first event from the second search, and the second event from the first search with the second event from the second search, and so on, you could use the appendcols command. This takes no account of the values in the events but may be this is good enough for your usecase?

Reply
Solved! Jump to solution

FGAnders
Explorer
‎06-06-2023 03:53 AM

Thank you very much for the help.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...