Splunk Search
Highlighted

How to consider values of a field from the events of type1 when does not exist in type2?

Path Finder

Hello,

I have got two type of events, typeA and typeB, In both the fields I'm interested in only a single field "Success".
Either if the field Success does not exist or it's value is "" in typeA then it should consider the value of Success from the typeB.
How do I do this?

Tags (1)
0 Karma
Highlighted

Re: How to consider values of a field from the events of type1 when does not exist in type2?

Path Finder

Update:

both types will have a common id. If typeA does not contain the "Success" with id "123", It should consider the value of "Success" from typeB which as same id "123"

0 Karma
Highlighted

Re: How to consider values of a field from the events of type1 when does not exist in type2?

Hi,

the Answer depends on how exactly your events look like. But in general you can do something with stats to get both fields in one event:

your search | | stats list(Success) as lsuccess by id | eval Success=mvindex(lsuccess,0)

I think to finally answer this question, we need more information about your events.

Greetings

Tom

Highlighted

Re: How to consider values of a field from the events of type1 when does not exist in type2?

Path Finder

@tom_frotscher, Please find the events and a bit more description on the requirement.

I have got events with two different types, Type=First and type=Second

I would like to get the consolidated(with unique tags) from both the types based on the following conditions.

If both types have a values of tag then on priority it should consider value of tag from the type=First and ignore the tag value from type=Second even if it has value or not.
ii) If tag has no value i.e., "" in type=First and tag of type=Second has tha value then it consider the value from type=Second for the same id of type=First.
iii) if both the types has no value in tag. we can ignore this.

Note: the values of idfirst and idsecond has same values but the naming convention is different.

time=1544071583425 type="First" version="2.0.5" status="OK" idfirst="210468" user="abc" tag="some"
time=1544071583425 type="First" version="2.0.5" status="OK" id
first="210469" user="xyz" tag=""
time=1544071583424 type="First" version="2.0.5" status="OK" idfirst="210470" user="wow" tag=""
time=1544071583424 type="First" version="2.0.5" status="OK" id
first="210483" user="rez"
time=1544071583424 type="First" version="2.0.5" status="OK" idfirst="210487" user="yov" tag="wrong"
time=1544071583424 type="First" version="2.0.5" status="OK" id
first="210491" user="boh" tag=""

time=1544071583425 type="Second" version="2.0.5" status="OK" idsecond="210468" user="abc" tag="some"
time=1544071583425 type="Second" version="2.0.5" status="OK" id
second="210469" user="xyz" tag="where"
time=1544071583424 type="Second" version="2.0.5" status="OK" idsecond="210470" user="wow" tag="fishy
time=1544071583424 type="Second" version="2.0.5" status="OK" id
second="210483" user="rez"
time=1544071583424 type="Second" version="2.0.5" status="OK" idsecond="210487" user="yov" tag="wrong"
time=1544071583424 type="Second" version="2.0.5" status="OK" id
second="210491" user="boh" tag="great"

output:

tag id
some 210469
where 210469
fishy 210470
wrong 210483
great 210487

0 Karma