- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to merge one query with another one that has the same field?
I currently have this search query:
source="C:\Users\ragate\Desktop\splunk\JsonDump.txt" | eval "LicenseKeyID"=substr('context.custom.dimensions{}.LicenseKey' ,4,7) | table "context.custom.dimensions{}.DocumentSessionId" "context.user.anonId" by LicenseKeyID |
I want to merge it with this one:
source="LMCustomerRevLicense.csv" $account_drop$ | dedup "Account Name" | table "License Key Identifier" "Account Name" "Total Revenue"
I made the License Keys be the same as the first source. I want to merge these two together and have everything sorted from the license key. I also want anything that does not match with the license keys in the first search to be removed. Is this possible?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@ppablo, please kill this question, it is a duplicate of this one:
https://answers.splunk.com/answers/668183/how-do-i-merge-two-fields-together-and-get-rid-of.html
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Searches don't really help as much as post OPs think. What we REALLY need is sample data from each source and then a mockup of your desired output with some commentary. If you provide this, I can help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sure. The JsonDumb.txt file has these fields:
UserID context.custom.dimensions{}.LicenseKey context.custom.dimensions{}.DocumentSessionId
BM\jezeld CC-51TovCt-ST0-X-Q9946 This is a string of 20 random numbers and letters
For the LMCustomerRevLicense.csv I have these fields:
License Key Identifier Account Name Total Active Subscription Revenue _converted
51TovCt Johnson LLC 556,000
For these, the only thing I could find that would match these list together were the license keys. So I usesd substr in the first set of data to just keep the seven numbers and letters after the CC. I would like to merge these together so that I can have everything that does not match with the License Keys that have been substr to be removed. Is this possible with this information provided.
