Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to link two sources with equals fields in each?

clairebesson
Explorer
‎08-18-2015 01:41 PM

Hey everyone,
Here is my problem:
I have two sources (Source1 and Source2):
* In source1 I have the field "device number" written like that: "Inst-C6:82:c3"
* In the second source I have the field "MAC Address" written like that: "9B:DC:DF:C6:82:c3"

As you can see, the parts in bold are the same. I would like to create a table with this two fields that displays when field1=field2.
I don't know how to select the part in bold and add a condition to create a table.
Could you please help me with that?
(This will permit me to link these two different sources)

Thanks in advance !

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

chanmi2
Path Finder
‎08-21-2015 02:37 AM

Try this:

source=source1 | eval common_part = replace("device number", "^Inst-(\w\w:\w\w:\w\w)$", "\1") | join common_part [source=source2 |eval common_part = replace("Mac Address", "\w\w:\w\w:\w\w:(\w\w:\w\w:\w\w)$", "\1")]

View solution in original post

Reply
Solved! Jump to solution
Solution

chanmi2
Path Finder
‎08-21-2015 02:37 AM

Try this:

source=source1 | eval common_part = replace("device number", "^Inst-(\w\w:\w\w:\w\w)$", "\1") | join common_part [source=source2 |eval common_part = replace("Mac Address", "\w\w:\w\w:\w\w:(\w\w:\w\w:\w\w)$", "\1")]

Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎08-18-2015 02:52 PM

Try something like this

source=source1 OR source=source2 | table "Device Number" "Mac Address" | eval commonfield=replace(coalesce('Device Number','Mac Address'),"(.*)(\w\w:\w\w:\w\w)$","\2") | stats values(*) as * by commonfield
0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎08-18-2015 02:06 PM

Perhaps something like this will get you started.

source=Source1 OR source=Source2 | rex field="device number" "Inst-(?P<part1>\w\w:\w\w:\w\w)" | rex field="MAC Address" "\w\w:\w\w:\w\w:(?P<part2>\w\w:\w\w:\w\w)" | where part1=part2 | ...
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

What's New in Splunk Observability - October 2025

What’s New?  We’re excited to announce the latest enhancements to Splunk Observability Cloud and share what’s ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

&#x1f5e3; You Spoke, We Listened Audit Trail v2 wasn’t written in isolation—it was shaped by your voices. In ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

 Prepare to elevate your security operations with the powerful upgrade to Splunk Enterprise Security 8.x! This ...