Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to consolidate events that have an ID field with different names across multiple sourcetypes?

changux
Builder
‎09-22-2016 03:55 PM

Hi all.

I have almost 20 different sourcetypes. Field names in sourcetypes are different and I don't have the same in more than 1 sourcetype. Each sourcetype has a "slice" of a record using an ID, but this ID has different names across the sourcetypes. I mean:

sourcetype: example1
ID Field: ex1_id
ex1_id: 5555
ex1_type: Tool

sourcetype: example2
ID Field: ex2_id
ex2_id: 5555
ext2_name: SN56616

sourcetype: example3
ID Field: ex3_id
ex2_id: 5555
ext3_kind: none

I need to search in all sourcetypes and create a resulting table that looks like:

ID     |   ext1_type   |  ext2_name    |  ext3_kind
5555   |   Tool        |  SN56616      |  none

I tried to create a field alias by sourcetype to the appropriate ID Field name to use the same name like ID to facilitate the search. I don't how proceed, transaction? join?

Thanks!

Reply
1 Solution
Solved! Jump to solution
Solution

MuS
Legend
‎09-22-2016 04:08 PM

Hi changux,

Take a look at this answer https://answers.splunk.com/answers/129424/how-to-compare-fields-over-multiple-sourcetypes-without-jo... to learn on this topic. But meanwhile try this search:

sourcetype=example1 OR sourcetype=example2 OR sourcetype=example3
| eval ID=case(sourcetype="example1",ex1_id,sourcetype="example2",ex2_id,sourcetype="example3",ex3_id,) 
| stats values(*) AS * by ID
| table ID *

Hope this helps ...

cheers, MuS

View solution in original post

Reply
Solved! Jump to solution

twinspop
Influencer
‎09-22-2016 04:09 PM 
sourcetype=example* | stats values(ex1_type) as ext1_type values(ext2_name) as ext2_name values(ext3_kind) as ext3_kind by ID

Assumptions:

You have a field extraction for ID Field as ID
You have field extractions for ex1_type, ext2_name and ext3_kind

Reply
Solved! Jump to solution
Solution

MuS
Legend
‎09-22-2016 04:08 PM

Hi changux,

Take a look at this answer https://answers.splunk.com/answers/129424/how-to-compare-fields-over-multiple-sourcetypes-without-jo... to learn on this topic. But meanwhile try this search:

sourcetype=example1 OR sourcetype=example2 OR sourcetype=example3
| eval ID=case(sourcetype="example1",ex1_id,sourcetype="example2",ex2_id,sourcetype="example3",ex3_id,) 
| stats values(*) AS * by ID
| table ID *

Hope this helps ...

cheers, MuS

Reply
Solved! Jump to solution

changux
Builder
‎09-22-2016 04:24 PM

Thanks, awesome!

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...