Solved: How to dedup non-overlapping fields in separate so...

yuanliu · ‎01-11-2023

I have two different sources with different fields. Let's call them sourcetypeA and sourcetypeB. Some fields that I wanted to dedup do not overlap. Let's say sfieldA only exists in sourcetypeA, sfieldB only exists in sourcetypeB. My intention is to have a single search (without append) to return events from both sources that contain unique sfieldA in sourcetypeA and unique sfieldB in sourcetypeB.

I was initially surprised that the following returned no event:

sourcetype = sourcetypeA OR sourcetype = sourcetype B
| dedup sfieldA sfieldB

Then, I realized that this is to ask for dedup on nonexistent keys. My question is, then: Is there a syntax to express my intent?

richgalloway · ‎01-11-2023

The method requires creating a common field.

sourcetype = sourcetypeA OR sourcetype = sourcetype B
| eval sfield = coalesce(sfieldA, sfieldB)
| dedup sfield

The coalesce function sets sfield to whichever field of sfieldA and sfieldB exists in the current event.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎01-11-2023

The method requires creating a common field.

sourcetype = sourcetypeA OR sourcetype = sourcetype B
| eval sfield = coalesce(sfieldA, sfieldB)
| dedup sfield

The coalesce function sets sfield to whichever field of sfieldA and sfieldB exists in the current event.

---
If this reply helps you, Karma would be appreciated.

How to dedup non-overlapping fields in separate sources?

fields

other

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

Alerting Best Practices: How to Create Good Detectors

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...