Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to merge 2 fields and get unique value

dyapasrikanth
Path Finder
‎10-10-2019 11:17 PM

We have prod and non prod events and trying to display the environment names in dashboard. The prod events contain hostname and I can extract the environment name from it, where as non prod environment name comes from different field (kubernetes.namespace_name). How can I merge these 2 fields.

Prod

index=test_prod hostname=ab_bc-app1-prod-i-08077b980050dbd11 sometext

Non Prod

index=test_nonprod hostname=nonprod-i-4332 sometext kubernetes.namespace_name=np1

I have 2 different queries to get the environment name out of them

search index=test_prod  appname=* | rex field=host "ab_bc-[^-]*-(?P<env>[^-]*)-" | stats values(env) as env
search index=test_nonprod appname=* kubernetes.namespace_name!=null  | stats values(kubernetes.namespace_name) as env

I tried to merge these 2 queries but not getting the expected output

index=test_*  appname=* | rex field=host "ab_bc-[^-]*-(?P<env>[^-]*)-" | rename kubernetes.namespace_name as env | stats values(env)

But I am getting only prod environments but not non prod. Whats wrong I am doing?

0 Karma
Reply

dyapasrikanth
Path Finder
‎10-12-2019 05:46 PM

Some how this query working.

index=test_*  appname=* | rename kubernetes.namespace_name as env | rex field=host "ab_bc-[^-]*-(?P<env>[^-]*)-" | sort env | dedup env | stats count by env
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-13-2019 08:22 AM

If your problem is resolved, please accept an answer to help future readers.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-11-2019 06:09 AM

Try coalesce.

index=test_*  appname=* | rex field=host "ab_bc-[^-]*-(?P<env>[^-]*)-" | eval env=coalesce(env, kubernetes.namespace_name)
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

dyapasrikanth
Path Finder
‎10-12-2019 05:45 PM

No it didn't work, it is giving only prod environments

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Observability Simplified: Combining User Experience, Application Performance & ...

Tech Talk Observability Simplified: Combining User Experience, Application Performance & Network ...

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...

Global Splunk User Group Events: May + June 2026

Your Splunk Community Awaits: Discover Upcoming User Group Events Worldwide    Staying ahead in the fast-paced ...