Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to merge two SPL to get common output?

amey2407
Splunk Employee
Splunk Employee
‎08-14-2022 09:13 PM

We have output of 2 queries in terms of disk usage. One is from DELL and one is rom Huawei index.

Dell Query: 

|`cluster_overview(isisyd)` | table _time stats.key lnn stats.value | search (stats.key="ifs.bytes.avail" OR stats.key="ifs.bytes.used" OR stats.key="ifs.ssd.bytes.free" OR stats.key="ifs.ssd.bytes.used") | eval Usage = case('stats.key'="ifs.bytes.avail","HDD Available",'stats.key'="ifs.bytes.used","HDD Used",'stats.key'="ifs.ssd.bytes.free","SSD Available",'stats.key'="ifs.ssd.bytes.used","SSD Used")  | `bytes_to_gb_tb_pb('stats.value')` |  eval Usage = Usage . " (in GB)" | stats latest(bytes_gb) AS Space by Usage

Huawei query: 

index="huawei_storage"
            | fields DeviceModel,Version,WWN,SN,TotalCapacity,UsableCapacity,UsedCapacity,DataProtection,FreeCapacity
            | dedup SN
            | table DeviceModel,Version,WWN,SN,TotalCapacity,UsableCapacity,UsedCapacity,DataProtection,FreeCapacity

Attached SS suggests the current individual output. End goal is to have one single table combining both Huawei and Dell storage capacity information.  Any help is appreciated.

Labels (5)
Tags (1)
Preview file
835 KB
0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎08-15-2022 04:37 AM

@amey2407 - Is there any reason why append to append results and renaming fields to make it common fields does not work?

0 Karma
Reply

amey2407
Splunk Employee
Splunk Employee
‎08-14-2022 10:22 PM

@bowesmana Thank you very much for your quick response! Much appreciated! I know that some of the fields are not same. Is there a way I can merge them in a single column if I know which field corresponds to the same field in other SPL. For example, Dell parameter "ifs.ssd.bytes.used" is equivalent to Huawei parameter "UsedCapacity" and i want both output in single column (One for dell and one for Huawei). (We can rename the field as "Capacity used".

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎08-15-2022 04:37 PM

If you use the 'append' approach, then simply rename the Dell field as "Capacity Used" in the first part of the search and do the same for the equivalent Huawei one in the append section.

If you end up making a single search with 

(Search Dell) OR (Search Huawei)

then you would use something like

| eval "Capacity Used"=coalesce('ifs.ssd.bytes.used', UsedCapacity)

and then just use the new "Capacity Used" field in your table

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎08-14-2022 10:10 PM

You have a number of additional fields in the Huawei output compared to Dell, however, if you make the Dell Usage field values the same as the Huawei fields, you can then do either of these

| transpose 0 header_field=Usage

OR 

| eval DeviceModel="Dell"
| xyseries  DeviceModel Usage Space

to turn the first table round so that it matches the Huawei. Then append the Huawei search onto the Dell search with

...DellSearch...

| eval DeviceModel="Dell"
| xyseries DeviceModel Usage Space

| append [
  search index=huawei...
]

However, your fields between the two searches are somewhat different, in that your Dell data doesn't appear to have all the same fields as the Huawei.

 

0 Karma
Reply
Get Updates on the Splunk Community!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...