How to merge 2 fields and get unique value

dyapasrikanth · ‎10-10-2019

We have prod and non prod events and trying to display the environment names in dashboard. The prod events contain hostname and I can extract the environment name from it, where as non prod environment name comes from different field (kubernetes.namespace_name). How can I merge these 2 fields.

Prod

index=test_prod hostname=ab_bc-app1-prod-i-08077b980050dbd11 sometext

Non Prod

index=test_nonprod hostname=nonprod-i-4332 sometext kubernetes.namespace_name=np1

I have 2 different queries to get the environment name out of them

search index=test_prod  appname=* | rex field=host "ab_bc-[^-]*-(?P<env>[^-]*)-" | stats values(env) as env
search index=test_nonprod appname=* kubernetes.namespace_name!=null  | stats values(kubernetes.namespace_name) as env

I tried to merge these 2 queries but not getting the expected output

index=test_*  appname=* | rex field=host "ab_bc-[^-]*-(?P<env>[^-]*)-" | rename kubernetes.namespace_name as env | stats values(env)

But I am getting only prod environments but not non prod. Whats wrong I am doing?

dyapasrikanth · ‎10-12-2019

Some how this query working.

index=test_*  appname=* | rename kubernetes.namespace_name as env | rex field=host "ab_bc-[^-]*-(?P<env>[^-]*)-" | sort env | dedup env | stats count by env

richgalloway · ‎10-13-2019

If your problem is resolved, please accept an answer to help future readers.

---
If this reply helps you, Karma would be appreciated.

richgalloway · ‎10-11-2019

Try coalesce.

index=test_*  appname=* | rex field=host "ab_bc-[^-]*-(?P<env>[^-]*)-" | eval env=coalesce(env, kubernetes.namespace_name)

---
If this reply helps you, Karma would be appreciated.

dyapasrikanth · ‎10-12-2019

No it didn't work, it is giving only prod environments

How to merge 2 fields and get unique value

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio