Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to dedup non-overlapping fields in separate sources?

yuanliu
SplunkTrust
SplunkTrust
‎01-11-2023 11:05 AM

I have two different sources with different fields.  Let's call them sourcetypeA and sourcetypeB.  Some fields that I wanted to dedup do not overlap.  Let's say sfieldA only exists in sourcetypeA, sfieldB only exists in sourcetypeB.  My intention is to have a single search (without append) to return events from both sources that contain unique sfieldA in sourcetypeA and unique sfieldB in sourcetypeB.

I was initially surprised that the following returned no event:

sourcetype = sourcetypeA OR sourcetype = sourcetype B
| dedup sfieldA sfieldB

Then, I realized that this is to ask for dedup on nonexistent keys.  My question is, then: Is there a syntax to express my intent?

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎01-11-2023 11:45 AM

The method requires creating a common field.

sourcetype = sourcetypeA OR sourcetype = sourcetype B
| eval sfield = coalesce(sfieldA, sfieldB)
| dedup sfield

The coalesce function sets sfield to whichever field of sfieldA and sfieldB exists in the current event.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎01-11-2023 11:45 AM

The method requires creating a common field.

sourcetype = sourcetypeA OR sourcetype = sourcetype B
| eval sfield = coalesce(sfieldA, sfieldB)
| dedup sfield

The coalesce function sets sfield to whichever field of sfieldA and sfieldB exists in the current event.

---
If this reply helps you, Karma would be appreciated.
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...