Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to correlate two JSON objects via a key-value ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Imagine there are thousands of JSON entries and I want to correlate object pairs via a key/value pair.
Entry #44
{
speed: 55,
distance: 18,
time: 1481216486,
color: red,
}
Entry #323
{
speed: 75,
distance: 38,
time: 1481216486,
color: blue,
}
Search:
sourcetype=test_drive (DO THE MAGIC) | eval first_distance=distance(#44) | eval second_distance=distance(#323) | table time first_distance(#323) second_distance(#44)
So basically I'm trying to find an entry pair via a key/value pair and use another key/value pair from the entry pair and create a table.
Sorry for the horrible formatting. Thank you
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I found the answer below at Stack Overflow: http://stackoverflow.com/a/41109872/5415084
You want to use the transaction filter here, http://docs.splunk.com/Documentation/Splunk/6.5.1/SearchReference/Transaction
This won't gracefully merge your json in _raw, but it will make the properties available to query/chart upon.
In this example, I assume you want to merge events by the time property, since that is the only matching field.
sourcetype=test_drive (DO THE MAGIC) | eval first_distance=distance(#44) | eval second_distance=distance(#323) | transaction time | table time first_distance(#323) second_distance(#44)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I found the answer below at Stack Overflow: http://stackoverflow.com/a/41109872/5415084
You want to use the transaction filter here, http://docs.splunk.com/Documentation/Splunk/6.5.1/SearchReference/Transaction
This won't gracefully merge your json in _raw, but it will make the properties available to query/chart upon.
In this example, I assume you want to merge events by the time property, since that is the only matching field.
sourcetype=test_drive (DO THE MAGIC) | eval first_distance=distance(#44) | eval second_distance=distance(#323) | transaction time | table time first_distance(#323) second_distance(#44)
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
