Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to join data and extract field values as field names?

splunk_worker
Path Finder
‎08-05-2014 07:31 PM

How to change event field values into field name?

Event log sample1:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
id, code, message
1, 1111, "one"
3, 12345, "three"

Event log sample2:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`
id, keyname, keyvalue
1, name , john
1, place, richmond
1, activity, login
1, environment, mobile
2, name , bob
2, lastname, bill
3, name, charle
3, location, newyork
3, activity, transaction
4 name, Danny
4 lastname, Huber
5, name, eugene

Both event have common field called "id". I will join both data searches using join command.
e.g: index=abc code=111 | join id [search index=blah ]

But my requirement is, for the above search when the code is 111, i need get the table in following format
id, code, message, name, place, activity, environment
1 , 1111, "one", john, richmond, login, mobile

Please note that, the values of keyname and keyvalue are become field-name and its values respectively. Please let me know how to do this?

0 Karma
Reply

somesoni2
Revered Legend
‎08-06-2014 08:26 AM

Try this

index=abc code=1111 | join id [search index=blah | xyseries id keyname keyvalue]

OR 

index=abc code=1111 | join id [search index=blah | chart first(keyvalue) over id by keyname]
0 Karma
Reply

strive
Influencer
‎08-06-2014 12:32 AM

Try this

 index=abc  code=1111 | join id[search index=blah | chart first(keyvalue) by id keyname]
0 Karma
Reply

strive
Influencer
‎08-06-2014 07:29 AM

In your question, you said you need it for code 1111. Take out the condition code=1111 and execute the search.

0 Karma
Reply

splunk_worker
Path Finder
‎08-06-2014 05:57 AM

Thanks for ur response.

The above searching is putting keyname parameter values as column variables (this 100% fine). But the value from keyvalue is displayed only for one column variable ( created from keyname) per id.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...