Splunk Search

How to combine values from fields in different indexes using it to sort?

FGAnders
Explorer

Hi,

I'm trying to combine values from two different fields in two different indexes. But it seems to come up blank. Is there any other options like join to combine it and sort it after the combined values?

| multisearch
[search index=ABC UserID=* CheckEvent Alias=* ]
[search index=CDE UserID=* classifications=SuperUser AliasTest=true ]
| eval Combi = AliasTest." - ".Alias
| stats values(UserID) as UserID, list(Combi) as Combined, list(AliasTest) as AliasTest ,list(classifications) as classifications, list(Alias) as Alias, dc(UserID) as users by Combi

It works if I combine fields from same index, but not if I try and combine fields values from ABC and CDE indexes. 


Thank you,

Labels (3)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Perhaps not strictly true, but it depends on your data.

For example, is you wanted to combine the first event from the first search with the first event from the second search, and the second event from the first search with the second event from the second search, and so on, you could use the appendcols command. This takes no account of the values in the events but may be this is good enough for your usecase?

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust

Your issue is not so much the multisearch - you can avoid this by using:

(index=ABC UserID=* CheckEvent Alias=*) OR (index=CDE UserID=* classifications=SuperUser AliasTest=true)

The issue is that you (apparently) have events in the pipeline that you want to combine. In order to do this, you would need a field in the events from one index which matches values in a field from events in the other index. So, unless AliasTest and Alias appear in events from both indexes, and therefore Combi is valid for events in both indexes, the stats (or a join) will not be able to combine the values by Combi.

FGAnders
Explorer

Hi,

 

Thank you for the fast reply.

Seems like its not possible then if the fields and values are unique in both events in the indexes.

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Perhaps not strictly true, but it depends on your data.

For example, is you wanted to combine the first event from the first search with the first event from the second search, and the second event from the first search with the second event from the second search, and so on, you could use the appendcols command. This takes no account of the values in the events but may be this is good enough for your usecase?

FGAnders
Explorer

Thank you very much for the help.

0 Karma
Get Updates on the Splunk Community!

Monitoring MariaDB and MySQL

In a previous post, we explored monitoring PostgreSQL and general best practices around which metrics to ...

Financial Services Industry Use Cases, ITSI Best Practices, and More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Splunk Federated Analytics for Amazon Security Lake

Thursday, November 21, 2024  |  11AM PT / 2PM ET Register Now Join our session to see the technical ...