Solved: How to dedup non-overlapping fields in separate so...

yuanliu · ‎01-11-2023

I have two different sources with different fields. Let's call them sourcetypeA and sourcetypeB. Some fields that I wanted to dedup do not overlap. Let's say sfieldA only exists in sourcetypeA, sfieldB only exists in sourcetypeB. My intention is to have a single search (without append) to return events from both sources that contain unique sfieldA in sourcetypeA and unique sfieldB in sourcetypeB.

I was initially surprised that the following returned no event:

sourcetype = sourcetypeA OR sourcetype = sourcetype B
| dedup sfieldA sfieldB

Then, I realized that this is to ask for dedup on nonexistent keys. My question is, then: Is there a syntax to express my intent?

richgalloway · ‎01-11-2023

The method requires creating a common field.

sourcetype = sourcetypeA OR sourcetype = sourcetype B
| eval sfield = coalesce(sfieldA, sfieldB)
| dedup sfield

The coalesce function sets sfield to whichever field of sfieldA and sfieldB exists in the current event.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎01-11-2023

The method requires creating a common field.

sourcetype = sourcetypeA OR sourcetype = sourcetype B
| eval sfield = coalesce(sfieldA, sfieldB)
| dedup sfield

The coalesce function sets sfield to whichever field of sfieldA and sfieldB exists in the current event.

---
If this reply helps you, Karma would be appreciated.

How to dedup non-overlapping fields in separate sources?

fields

other

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms