Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to merge 2 fields and get unique value

dyapasrikanth
Path Finder
‎10-10-2019 11:17 PM

We have prod and non prod events and trying to display the environment names in dashboard. The prod events contain hostname and I can extract the environment name from it, where as non prod environment name comes from different field (kubernetes.namespace_name). How can I merge these 2 fields.

Prod

index=test_prod hostname=ab_bc-app1-prod-i-08077b980050dbd11 sometext

Non Prod

index=test_nonprod hostname=nonprod-i-4332 sometext kubernetes.namespace_name=np1

I have 2 different queries to get the environment name out of them

search index=test_prod  appname=* | rex field=host "ab_bc-[^-]*-(?P<env>[^-]*)-" | stats values(env) as env
search index=test_nonprod appname=* kubernetes.namespace_name!=null  | stats values(kubernetes.namespace_name) as env

I tried to merge these 2 queries but not getting the expected output

index=test_*  appname=* | rex field=host "ab_bc-[^-]*-(?P<env>[^-]*)-" | rename kubernetes.namespace_name as env | stats values(env)

But I am getting only prod environments but not non prod. Whats wrong I am doing?

0 Karma
Reply

dyapasrikanth
Path Finder
‎10-12-2019 05:46 PM

Some how this query working.

index=test_*  appname=* | rename kubernetes.namespace_name as env | rex field=host "ab_bc-[^-]*-(?P<env>[^-]*)-" | sort env | dedup env | stats count by env
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-13-2019 08:22 AM

If your problem is resolved, please accept an answer to help future readers.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-11-2019 06:09 AM

Try coalesce.

index=test_*  appname=* | rex field=host "ab_bc-[^-]*-(?P<env>[^-]*)-" | eval env=coalesce(env, kubernetes.namespace_name)
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

dyapasrikanth
Path Finder
‎10-12-2019 05:45 PM

No it didn't work, it is giving only prod environments

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Level Up Your .conf25: Splunk Arcade Comes to Boston

With .conf25 right around the corner in Boston, there’s a lot to look forward to — inspiring keynotes, ...

Manual Instrumentation with Splunk Observability Cloud: How to Instrument Frontend ...

Although it might seem daunting, as we’ve seen in this series, manual instrumentation can be straightforward ...

Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform

 Are you ready to revolutionize your IT operations? As digital transformation accelerates, the demand for ...