Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to join extracted, multi-value SourceTypeA:field_a with extracted SourceType:field_b?

DrColombes
New Member
‎03-30-2012 06:27 AM

I want to compute a join of an extracted, multi-value SourceTypeA:field_a string variable with an extracted SourceTypeB:field_b string variable.

I've received a partial answer on how to do a "detour join" in Splunk via Intersect and Stats:

(sourcetype="SourceTypeA" ...) OR (sourcetype="SourceTypeB" ...)

| eval c = if (sourcetype=="SourceTypeA", SourceTypeA:field_a, SourceTypeB:field_b)

| stats values (x) values (y) values(z) by c

I'm guessing the searches (for the extracted, multi-value field_a and extracted field_b) go in the sourcetype clauses above.

I want to output the values where SourceTypeA:field_a = SourceTypeB:field_b.

Thanks for your help.

0 Karma
Reply

woodcock
Esteemed Legend
‎07-04-2015 02:14 PM

You have the correct solution, even for multi-value fields, except for the whitespaces between values and (; this should work fine:

(sourcetype="SourceTypeA" ...) OR (sourcetype="SourceTypeB" ...) | eval joiner = if (sourcetype=="SourceTypeA", SourceTypeA:field_a, SourceTypeB:field_b) | stats values(*) AS * by joiner
0 Karma
Reply

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎03-30-2012 07:12 AM

Which field do you want to display from SourceTypeA and SourceTypeB? The recipe is the same regardless of whether field_a and field_b are multivalued.

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...