Splunk Search

How to create a table with fields form two different indexes

maryamchar
Explorer

I want to create a table with all fields from two different indexes.

Index=A |rename fieldA as field1 |table field1 fieldAA fieldAB field AC
index= B |rename fieldB as field1 | table field1 fieldBB fieldBC

I want a table shows all fields including common field which is filed1

|table field1 fieldAA fieldAB field AC fieldBB fieldBC

Tags (1)
0 Karma
1 Solution

Vijeta
Influencer

Try something like-

index=A or index=B| eval field1=coalesce(fieldA,fieldB)| stats values(*) as * by field1

View solution in original post

0 Karma

koshyk
Super Champion

Another option is to do using transaction, so the events can be clubbed together

index=A or index=B
| rename fieldA as field1 
| rename fieldB as field1
| transaction field1 
| table field1 fieldAA fieldAB field AC fieldBB fieldBC
0 Karma

maryamchar
Explorer

Thank you! It worked!!

0 Karma

koshyk
Super Champion

thanks. Please upvote if it helped. cheers

0 Karma

maryamchar
Explorer

Sorry but I ran the search now, the table only shows certain values from one index only and ignore the other indexes. Is there a reason for that ? why the table has empty fields even though it exists on data

0 Karma

maryamchar
Explorer

one more question realted to same query above. I want to show the number of count by field1 ? How would I do. that

|stats count by field 1

0 Karma

koshyk
Super Champion

if you do
|stats count by field 1

This will show just count for field1 after clubbing the transaction

if you want to retain the original table and then count, better to do
index=A or index=B
| rename fieldA as field1
| rename fieldB as field1
| transaction field1
| streamstats count as field_count by field
| table field1 field_count fieldAA fieldAB field AC fieldBB fieldBC

0 Karma

Vijeta
Influencer

Try something like-

index=A or index=B| eval field1=coalesce(fieldA,fieldB)| stats values(*) as * by field1
0 Karma

maryamchar
Explorer

Thank you! It worked!

0 Karma

maryamchar
Explorer

if I want to have stats values for certain fields only from both indexes, how would I do that ? Thank you!!

0 Karma
Get Updates on the Splunk Community!

Leveraging Detections from the Splunk Threat Research Team & Cisco Talos

  Now On Demand  Stay ahead of today’s evolving threats with the combined power of the Splunk Threat Research ...

New in Splunk Observability Cloud: Automated Archiving for Unused Metrics

Automated Archival is a new capability within Metrics Management; which is a robust usage & cost optimization ...

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...