Re: How to join extracted, multi-value SourceTypeA...

DrColombes · ‎03-30-2012

I want to compute a join of an extracted, multi-value SourceTypeA:field_a string variable with an extracted SourceTypeB:field_b string variable.

I've received a partial answer on how to do a "detour join" in Splunk via Intersect and Stats:

(sourcetype="SourceTypeA" ...) OR (sourcetype="SourceTypeB" ...)

| eval c = if (sourcetype=="SourceTypeA", SourceTypeA:field_a, SourceTypeB:field_b)

| stats values (x) values (y) values(z) by c

I'm guessing the searches (for the extracted, multi-value field_a and extracted field_b) go in the sourcetype clauses above.

I want to output the values where SourceTypeA:field_a = SourceTypeB:field_b.

Thanks for your help.

woodcock · ‎07-04-2015

You have the correct solution, even for multi-value fields, except for the whitespaces between values and (; this should work fine:

(sourcetype="SourceTypeA" ...) OR (sourcetype="SourceTypeB" ...) | eval joiner = if (sourcetype=="SourceTypeA", SourceTypeA:field_a, SourceTypeB:field_b) | stats values(*) AS * by joiner

Stephen_Sorkin · ‎03-30-2012

Which field do you want to display from SourceTypeA and SourceTypeB? The recipe is the same regardless of whether field_a and field_b are multivalued.

How to join extracted, multi-value SourceTypeA:field_a with extracted SourceType:field_b?

Congratulations to the 2025-2026 SplunkTrust!

[Puzzles] Solve, Learn, Repeat: Nested loops in Event Conversion

Your Guide to Splunk Digital Experience Monitoring

Join the Conversation

How to join extracted, multi-value SourceTypeA:field_a with extracted SourceType:field_b?

Congratulations to the 2025-2026 SplunkTrust!

[Puzzles] Solve, Learn, Repeat: Nested loops in Event Conversion

Your Guide to Splunk Digital Experience Monitoring