Re: How to merge 2 SPL to get common output?

amey2407 · ‎08-14-2022

We have output of 2 queries in terms of disk usage. One is from DELL and one is rom Huawei index.

Dell Query:

|`cluster_overview(isisyd)` | table _time stats.key lnn stats.value | search (stats.key="ifs.bytes.avail" OR stats.key="ifs.bytes.used" OR stats.key="ifs.ssd.bytes.free" OR stats.key="ifs.ssd.bytes.used") | eval Usage = case('stats.key'="ifs.bytes.avail","HDD Available",'stats.key'="ifs.bytes.used","HDD Used",'stats.key'="ifs.ssd.bytes.free","SSD Available",'stats.key'="ifs.ssd.bytes.used","SSD Used") | `bytes_to_gb_tb_pb('stats.value')` | eval Usage = Usage . " (in GB)" | stats latest(bytes_gb) AS Space by Usage

Huawei query:

index="huawei_storage"
            | fields DeviceModel,Version,WWN,SN,TotalCapacity,UsableCapacity,UsedCapacity,DataProtection,FreeCapacity
            | dedup SN
            | table DeviceModel,Version,WWN,SN,TotalCapacity,UsableCapacity,UsedCapacity,DataProtection,FreeCapacity

Attached SS suggests the current individual output. End goal is to have one single table combining both Huawei and Dell storage capacity information. Any help is appreciated.

VatsalJagani · ‎08-15-2022

@amey2407 - Is there any reason why append to append results and renaming fields to make it common fields does not work?

amey2407 · ‎08-14-2022

@bowesmana Thank you very much for your quick response! Much appreciated! I know that some of the fields are not same. Is there a way I can merge them in a single column if I know which field corresponds to the same field in other SPL. For example, Dell parameter "ifs.ssd.bytes.used" is equivalent to Huawei parameter "UsedCapacity" and i want both output in single column (One for dell and one for Huawei). (We can rename the field as "Capacity used".

bowesmana · ‎08-15-2022

If you use the 'append' approach, then simply rename the Dell field as "Capacity Used" in the first part of the search and do the same for the equivalent Huawei one in the append section.

If you end up making a single search with

(Search Dell) OR (Search Huawei)

then you would use something like

| eval "Capacity Used"=coalesce('ifs.ssd.bytes.used', UsedCapacity)

and then just use the new "Capacity Used" field in your table

bowesmana · ‎08-14-2022

You have a number of additional fields in the Huawei output compared to Dell, however, if you make the Dell Usage field values the same as the Huawei fields, you can then do either of these

| transpose 0 header_field=Usage

OR 

| eval DeviceModel="Dell"
| xyseries  DeviceModel Usage Space

to turn the first table round so that it matches the Huawei. Then append the Huawei search onto the Dell search with

...DellSearch...

| eval DeviceModel="Dell"
| xyseries DeviceModel Usage Space

| append [
  search index=huawei...
]

However, your fields between the two searches are somewhat different, in that your Dell data doesn't appear to have all the same fields as the Huawei.

How to merge two SPL to get common output?

field extraction

join

stats

subsearch

tstats

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Join the Conversation

How to merge two SPL to get common output?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.