Solved: How to dynamically add results / correlate in a se...

bahndg · ‎07-09-2019

I want to dynamically add fields to my result set depending on a search I did.

How do I can add fields/new columns based on a search from a result of the main-search ?

dynamically. I cant work with lookups for each result because I want to generate the end result each time.
Cant do that manually. I need to be to process this automatically.

Another example:

Lets say I am building a resultset with an query.
When results show up, how can I enrich my resultset with values from another index?

What I am looking is at writing SPLs which run once and during this one-shot they should correlate multiply events from multiply indexes. So result should be further processed and enriched by information from other indexes/columns.

What is the best way to do that with Splunk in one SPL ?

sonny_monti · ‎07-10-2019

You are looking for the join command, i.e:

index=test
| table Computer
| join Computer [ search (index=another_test) | head 1 | table Name Computer]

This correlates the Computer field both on index test and another_test and join the subsearch fields (except for the matching one).

Dont forget to upvote 🙂

View solution in original post

sonny_monti · ‎07-10-2019

You are looking for the join command, i.e:

index=test
| table Computer
| join Computer [ search (index=another_test) | head 1 | table Name Computer]

This correlates the Computer field both on index test and another_test and join the subsearch fields (except for the matching one).

Dont forget to upvote 🙂

HiroshiSatoh · ‎07-09-2019

I do not understand much what I want to do

For example, what about this search statement?

(index=test OR index=another_test)
|stats latest(Name) as Name by Computer

How to dynamically add results / correlate in a search with a sub-search

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!