Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to join two events based on one common val...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to join two events based on one common value?
Hi,
I have two different events of data :
Event 1 = mail :
id_mail : 1
title_mail : test
mail_srv : host1
Event 2 = server:
id_srv : 3
srv_name : host1
srv_ip : 192.168.0.1
I want to print Event 1 (mail) data with a column containing the server IP like this : id_mail, title_mail, mail_srv, srv_ip
How can I do this?
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Like this:
... | eval srv_name = coalesce(mail_srv,srv_name)
| fields id_mail title_mail id_srv srv_name srv_ip
| stats values(*) AS * BY srv_name
| table id_mail title_mail id_srv srv_name srv_ip
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this:
Your Search Here To Get Both Types Of Events | eval srv_ip=coalesce(srv_ip, mail_srv) | stats min(_time) AS _time values(*) AS * BY srv_ip
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There is almost certainly a better way to do this, but I think this will work based on the information that you have given
index=A sourcetype=mail
| join type=outer mail_srv [ search index=B sourcetype=server | dedup srv_name | rename srv_name as mail_srv ]
| table id_mail, title_mail, mail_srv, srv_ip
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There need to be a common field between those two type of events. If that common field (in terms of matching values) is mail_srv/srv_name, then try like this
your base search fetching both type of events
| eval host_name=coalesce(mail_srv,srv_name)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for your answer but It doesn't give the result i want.
I want to be able to use the fields the two events :
Event 1 = mail :
id_mail : 1
title_mail : test
mail_srv : host1
Event 2 = server:
id_srv : 3
srv_name : host1
srv_ip : 192.168.0.1
I want to be able to print a table like this :
id_mail, title_mail, host1,id_srv ,srv_name ,srv_ip
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
whats about xyseries command. which convert coloms to rows.
https://docs.splunk.com/Documentation/Splunk/8.0.0/SearchReference/Xyseries
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Didn't realize the query was incompletely posted. Here is the full query
your base search fetching both type of events
| eval host_name=coalesce(mail_srv,srv_name)
| stats values(id_mail) as id_mail, values(title_mail) as title_mail ,values(id_srv) as id_srv, values(srv_ip) as srv_ip by host_name
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
the usage of "coalesce" is brilliant... I would've suggested "join"
Splunk Search APIを使えば調査過程が残せます
Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...
Congratulations to the 2025-2026 SplunkTrust!
