Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to search for a value in multiple fields

robinettdonWY
Path Finder
‎04-10-2020 11:37 AM

I have 2 sources in separate indexes; the first contains a field "appId"; to get the human readable (appDisplayName) I need to search the 2nd source. Normally I'd do this with a subsearch:

index=index2 sourcetype=st2 
    [search index=index1 sourcetype=st1 | stats values(appId) as appId |format]
|stats values(appDisplayName) as appDisplayName by appId

The problem I'm running into is the ID for the app in the first source is always called "appId" but depending on the type of app (which i don't know from the first source); appId will either correspond to 1 of 2 fields in the second source; it will either be "appId" or "resourceId". I need to find "appId" from the 1st source in either "appId" or "resourceId" in the second source and the corresponding human readable will either be "appDisplayName" or "resourceDisplayName" in the second source.

Any ideas on how to approach this?

Thanks!

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

DalJeanis
Legend
‎04-10-2020 12:07 PM

Don't use a subsearch where the stats can handle connecting the two. This is called the "Splunk soup" method.

(index=index2 sourcetype=st2) OR 
(index=index1 sourcetype=st1)
 | fields appId, resourceId appDisplayName resourceDisplayName
 | rename COMMENT as "above selects only the record types and fields you need" 

 | rename COMMENT as "create synthetic fields as per diogofm answer" 
 | eval appId = coalesce(appId, resourceId)
 | eval appDisplayName = colaesce(appDisplayName, resourceDisplayName)

 | rename COMMENT as "stats together for final result" 
 | stats values(appDisplayName) as appDisplayName by appId

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

DalJeanis
Legend
‎04-10-2020 12:07 PM

Don't use a subsearch where the stats can handle connecting the two. This is called the "Splunk soup" method.

(index=index2 sourcetype=st2) OR 
(index=index1 sourcetype=st1)
 | fields appId, resourceId appDisplayName resourceDisplayName
 | rename COMMENT as "above selects only the record types and fields you need" 

 | rename COMMENT as "create synthetic fields as per diogofm answer" 
 | eval appId = coalesce(appId, resourceId)
 | eval appDisplayName = colaesce(appDisplayName, resourceDisplayName)

 | rename COMMENT as "stats together for final result" 
 | stats values(appDisplayName) as appDisplayName by appId
0 Karma
Reply
Solved! Jump to solution

diogofgm
SplunkTrust
SplunkTrust
‎04-10-2020 11:56 AM

You can always eval the multiple fields into one using coalesce.

|eval appId = coalesce(appId, resourceId)
|eval appDisplayName = colaesce(appDisplayName, resourceDisplayName)

A nice blog post about coalesce:
https://www.splunk.com/en_us/blog/tips-and-tricks/search-command-coalesce.html

------------
Hope I was able to help you. If so, some karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

robinettdonWY
Path Finder
‎04-13-2020 07:48 AM

Thanks! I wish I could accept both answers.

0 Karma
Reply
Get Updates on the Splunk Community!

Your Guide to Splunk Digital Experience Monitoring

A flawless digital experience isn't just an advantage, it's key to customer loyalty and business success. But ...

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...