How to join data from a database to an event with ...

Bstylee303 · ‎02-16-2016

So the basic idea of this is I have an event that has multiple entries within the same Data field. I need to join info from the database on these entries. With my current join, I only get data joined when the event has only 1 entry in this field

ie:
Event1-
Session.Username
Data.X.Number- 1,2,3,4,5

Event 2-
Session.Username2
Data.X.Number-1

Want to join information from the DB, but in the DB, each line is stored as
Col1 Col2 Col3
Username, 1, Info I need
Username, 2 , Info I need
Username, 3 , Info I need
Username2, 1, Info I need

Is it possible to join on both fields when there is more than 1 value in Data.X.Number so I can get Col3 associated to each Number? In the above, it will join correctly with Event2, but Event1 won't get any information from the DB.

maciep · ‎03-06-2016

I think the answer is to create a separate event for each number the Data.X.Number field. If that field is already a multi-valued field in Splunk, then just use mvexpand. If it's not a multi-valued, then make it one first and then use mvexpand. Once you do that, then in your example above, Event 1 will be broken out into 5 separate events in your search results, all of them will be the same except for the Data.X.Number field.

For example

[your base event search] | makemv delim="," Data.X.Number | mvexpand Data.X.Number

At that point, I think your join should work.

somesoni2 · ‎02-16-2016

Can you post your current queries (both) with names of available fields?

How to join data from a database to an event with multiple values for a field in the same event?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!