Splunk Search

How to select and join fields from 2 sources?

irfan_10578
Engager

Hai everyone,

I'm still a newbie to using Splunk. I want to ask about selecting and joining fields in 2 sources.

Example:

source 1: S1
fields: A1, B1, C1

source 2: S2
fields: A1, A2, B2

I want to select A1, B1, C1, A2, B2 and join A1 in source 1 and source 2.

How would I write this search in Splunk??

please, help me
thanks

Tags (3)
0 Karma

nmahrouq
New Member

I need to join two sources with different indexes, to get a report out. Basically one source has names along with email and other information I need, and the other source has names, email, along with Job field that I need. How can I get the needed output from both sources in one output?? I'm thinking to use the email address to search for, since its found in both lists, but I'm not able to get it to work.
What would a good command be?

0 Karma

acharlieh
Influencer

Often times join is not the droid you are looking for

Without more context to around your problem, my initial guess would be something like:

(source=S1 OR source=S2) A1=* | fields A1 B1 C1 A2 B2 | stats values(*) as * by A1

But of course it depends on your data, and what you're wanting to do with it. I'd recommend reading the linked answer above.

MuS
Legend

Thanks for the cross reference 🙂

irfan_10578
Engager

oke thanks for help 🙂

0 Karma

pradeepkumarg
Influencer

What have you tried so far? Look at this documentation which explains with examples
http://docs.splunk.com/Documentation/Splunk/6.2.5/SearchReference/Join

0 Karma

krown
Explorer

How it is possible to combine or join 2 sources (.csv format) with excactly the same extracted fields?

source1: column1,column2,column3
source2: column1,column2,column3

In my example the first column from each source just shows milliseconds and is absolutly equal -> column1 (source1) = column1 (source2) <- these fields I want to overlay. The values from column2 and column3 differs.

I want to have now a table in this format:
column1 column2 column2 column3 column3

Then I could compare the values from column2 with each other and the values from column3 with each other in a line chart while x-axis = column1. Also it would be nice, if there is a y axis for the values of column2 and another y axis for column3, combined in one chart

Thanks in advance!!

Example

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...