Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to search for a value in multiple fields
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have 2 sources in separate indexes; the first contains a field "appId"; to get the human readable (appDisplayName) I need to search the 2nd source. Normally I'd do this with a subsearch:
index=index2 sourcetype=st2
[search index=index1 sourcetype=st1 | stats values(appId) as appId |format]
|stats values(appDisplayName) as appDisplayName by appId
The problem I'm running into is the ID for the app in the first source is always called "appId" but depending on the type of app (which i don't know from the first source); appId will either correspond to 1 of 2 fields in the second source; it will either be "appId" or "resourceId". I need to find "appId" from the 1st source in either "appId" or "resourceId" in the second source and the corresponding human readable will either be "appDisplayName" or "resourceDisplayName" in the second source.
Any ideas on how to approach this?
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Don't use a subsearch where the stats can handle connecting the two. This is called the "Splunk soup" method.
(index=index2 sourcetype=st2) OR
(index=index1 sourcetype=st1)
| fields appId, resourceId appDisplayName resourceDisplayName
| rename COMMENT as "above selects only the record types and fields you need"
| rename COMMENT as "create synthetic fields as per diogofm answer"
| eval appId = coalesce(appId, resourceId)
| eval appDisplayName = colaesce(appDisplayName, resourceDisplayName)
| rename COMMENT as "stats together for final result"
| stats values(appDisplayName) as appDisplayName by appId
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Don't use a subsearch where the stats can handle connecting the two. This is called the "Splunk soup" method.
(index=index2 sourcetype=st2) OR
(index=index1 sourcetype=st1)
| fields appId, resourceId appDisplayName resourceDisplayName
| rename COMMENT as "above selects only the record types and fields you need"
| rename COMMENT as "create synthetic fields as per diogofm answer"
| eval appId = coalesce(appId, resourceId)
| eval appDisplayName = colaesce(appDisplayName, resourceDisplayName)
| rename COMMENT as "stats together for final result"
| stats values(appDisplayName) as appDisplayName by appId
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can always eval the multiple fields into one using coalesce.
|eval appId = coalesce(appId, resourceId)
|eval appDisplayName = colaesce(appDisplayName, resourceDisplayName)
A nice blog post about coalesce:
https://www.splunk.com/en_us/blog/tips-and-tricks/search-command-coalesce.html
Hope I was able to help you. If so, some karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks! I wish I could accept both answers.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
