Splunk Search

How to match the values from different rows on a table and fetch another field value?

pramit46
Contributor

I have a table as follows:

col_a | col_b| user_id
000-01 | [null] | [null]
[null] | 000-01 | uid01
000-02 | [null] | [null]
[null] | 000-02 | uid02

All I want is to match the values of col_a and col_b and then fetch the value of respective user_ids.
But the problem is, due to having the values in different rows, I cannot match them using join or match.

Any idea, what to do???

0 Karma

woodcock
Esteemed Legend

Like this:

... | eval combined = case (isnull(col_a), col_b, isnull(col_b), col_a, true(), col_a . "::" . col_b) | makemv delim="::" combined | stats values(*) AS * BY combined

Or perhaps, if I am misunderstanding you, this:

... | eval combined = case (isnull(col_a), col_b, isnull(col_b), col_a, true(), col_a . "::" . col_b) | makemv delim="::" combined | fillnull value="NULL" user_id | stats values(*) AS * BY user_id
0 Karma

sundareshr
Legend

Try this

your base search | eval col_a=coalesce(col_a, col_b) | stats last(user_id) as user by col_a
0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...