Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to search and display two sources in a table?

pmhelfrich
Explorer
‎07-18-2016 02:36 PM

I found this thread, but wasn't able to get it to work for me:
https://answers.splunk.com/answers/74245/joining-data-from-2-data-sources-in-splunk.html

I have 2 sources that I would like to display in a table. The two sources use 2 columns as the "join" to know that it's the same data.

In other words i have:
Source A, Column_A, Column_B (as well as other columns)
Source B, Column_A, Column_C (as well as other columns)
Column_A=Column_A and Column_B=Column_C (has to be both matching, not just one set of columns or the others)

Based on the link above, I have tried:

index=index* (sourcetype=A OR sourcetype=B)
| rename Column_C as Column_B
| table

Maybe it doesn't matter, but I'm hung up on how Slunk knows what to join on if I don't tell it.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sundareshr
Legend
‎07-19-2016 11:24 AM

Try this

sourcetype=A | join column_A column_B [ search sourcetype=B | rename column_C AS column_B  | fields column_A column_B and other columns ] | table ...

View solution in original post

Reply
Solved! Jump to solution
Solution

sundareshr
Legend
‎07-19-2016 11:24 AM

Try this

sourcetype=A | join column_A column_B [ search sourcetype=B | rename column_C AS column_B  | fields column_A column_B and other columns ] | table ...
Reply
Solved! Jump to solution

pmhelfrich
Explorer
‎07-19-2016 02:28 PM

When you say "other columns," does that mean they have to be columns that match on each table, or just any column that I want from sourcetype B?

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎07-18-2016 03:18 PM

Try like this

index=index* (sourcetype=A OR sourcetype=B)
| eval common_col=coalesce(Column_C,Column_B)
| table common_col list all other fields that you need here
| stats first(*) as * by common_col
0 Karma
Reply
Solved! Jump to solution

pmhelfrich
Explorer
‎07-19-2016 10:29 AM

Unfortunately this didn't work. I'm still only getting columns from one of the tables. The other tables columns are just showing blank.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎07-19-2016 11:28 AM

Can you share the query that you used? Also, could you confirm if there are matching data available in both the sourcetypes?

0 Karma
Reply
Solved! Jump to solution

pmhelfrich
Explorer
‎07-19-2016 02:13 PM

The query that I gave above is the exact query with renamed values. I just checked and there is definitely data available in both sourcetypes and that would qualify for a "join." When I run what you gave and add |search common_col=(value), It pulls two rows, and each has the others data blank. In other words, the query is looking at both sourcetypes, just not combining anything.

My understanding is the columns you specify in the |table command won't effect the results and is just for display, correct?

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎07-19-2016 03:00 PM

Would you mind trying this

index=index* (sourcetype=A OR sourcetype=B)
 | eval common_col=coalesce(Column_C,Column_B)
 | table common_col list all other fields that you need here
 | stats values(*) as * by common_col
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...