- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to select and join fields from 2 sources?
Hai everyone,
I'm still a newbie to using Splunk. I want to ask about selecting and joining fields in 2 sources.
Example:
source 1: S1
fields: A1, B1, C1
source 2: S2
fields: A1, A2, B2
I want to select A1, B1, C1, A2, B2 and join A1 in source 1 and source 2.
How would I write this search in Splunk??
please, help me
thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I need to join two sources with different indexes, to get a report out. Basically one source has names along with email and other information I need, and the other source has names, email, along with Job field that I need. How can I get the needed output from both sources in one output?? I'm thinking to use the email address to search for, since its found in both lists, but I'm not able to get it to work.
What would a good command be?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Often times join is not the droid you are looking for
Without more context to around your problem, my initial guess would be something like:
(source=S1 OR source=S2) A1=* | fields A1 B1 C1 A2 B2 | stats values(*) as * by A1
But of course it depends on your data, and what you're wanting to do with it. I'd recommend reading the linked answer above.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the cross reference 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
oke thanks for help 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What have you tried so far? Look at this documentation which explains with examples
http://docs.splunk.com/Documentation/Splunk/6.2.5/SearchReference/Join
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How it is possible to combine or join 2 sources (.csv format) with excactly the same extracted fields?
source1: column1,column2,column3
source2: column1,column2,column3
In my example the first column from each source just shows milliseconds and is absolutly equal -> column1 (source1) = column1 (source2) <- these fields I want to overlay. The values from column2 and column3 differs.
I want to have now a table in this format:
column1 column2 column2 column3 column3
Then I could compare the values from column2 with each other and the values from column3 with each other in a line chart while x-axis = column1. Also it would be nice, if there is a y axis for the values of column2 and another y axis for column3, combined in one chart
Thanks in advance!!
