Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to combine values from fields in different indexes using it to sort?

FGAnders
Explorer
‎06-06-2023 02:22 AM

Hi,

I'm trying to combine values from two different fields in two different indexes. But it seems to come up blank. Is there any other options like join to combine it and sort it after the combined values?

| multisearch
[search index=ABC UserID=* CheckEvent Alias=* ]
[search index=CDE UserID=* classifications=SuperUser AliasTest=true ]
| eval Combi = AliasTest." - ".Alias
| stats values(UserID) as UserID, list(Combi) as Combined, list(AliasTest) as AliasTest ,list(classifications) as classifications, list(Alias) as Alias, dc(UserID) as users by Combi

It works if I combine fields from same index, but not if I try and combine fields values from ABC and CDE indexes. 


Thank you,

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎06-06-2023 03:45 AM

Perhaps not strictly true, but it depends on your data.

For example, is you wanted to combine the first event from the first search with the first event from the second search, and the second event from the first search with the second event from the second search, and so on, you could use the appendcols command. This takes no account of the values in the events but may be this is good enough for your usecase?

View solution in original post

Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎06-06-2023 02:31 AM

Your issue is not so much the multisearch - you can avoid this by using:

(index=ABC UserID=* CheckEvent Alias=*) OR (index=CDE UserID=* classifications=SuperUser AliasTest=true)

The issue is that you (apparently) have events in the pipeline that you want to combine. In order to do this, you would need a field in the events from one index which matches values in a field from events in the other index. So, unless AliasTest and Alias appear in events from both indexes, and therefore Combi is valid for events in both indexes, the stats (or a join) will not be able to combine the values by Combi.

Reply
Solved! Jump to solution

FGAnders
Explorer
‎06-06-2023 03:28 AM

Hi,

 

Thank you for the fast reply.

Seems like its not possible then if the fields and values are unique in both events in the indexes.

 

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎06-06-2023 03:45 AM

Perhaps not strictly true, but it depends on your data.

For example, is you wanted to combine the first event from the first search with the first event from the second search, and the second event from the first search with the second event from the second search, and so on, you could use the appendcols command. This takes no account of the values in the events but may be this is good enough for your usecase?

Reply
Solved! Jump to solution

FGAnders
Explorer
‎06-06-2023 03:53 AM

Thank you very much for the help.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...