Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

I need to do a search between two Index and extract a value in a new column

flck
Path Finder
‎12-26-2019 05:36 AM

Hi everyone,
I need to do a search similar to an Excel vlookup.
I have two Indexes, IndexA and IndexB.

The IndexA has a column called "account" along with other columns not important at the moment.
The IndexB has the same column called "account" which corresponds to a numeric ID, and a second column called "AccountName" which corresponds to a string.

I need to add a new column to the IndexA in which the ID of the "account" column is searched and bring the string of the "AccountName" column of the IndexB.

I appreciate any help.

Greetings.

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎12-26-2019 08:18 AM

@flck

I'll not suggest to use join as it has it's own limitation like degrading performance and limited data from subsearch. I'm suggesting below search for your requirement Instead of that.

You have to just replace your interesting fields with OtherFields1 and so on.. Please try search for same.

(index="IndexA" OR index = "IndexB")
| stats values(AccountName) as AccountName values(OtherFields1) as OtherFields1 values(OtherFields2) as OtherFields2 by account

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎12-26-2019 08:18 AM

@flck

I'll not suggest to use join as it has it's own limitation like degrading performance and limited data from subsearch. I'm suggesting below search for your requirement Instead of that.

You have to just replace your interesting fields with OtherFields1 and so on.. Please try search for same.

(index="IndexA" OR index = "IndexB")
| stats values(AccountName) as AccountName values(OtherFields1) as OtherFields1 values(OtherFields2) as OtherFields2 by account
0 Karma
Reply
Solved! Jump to solution

flck
Path Finder
‎12-26-2019 01:19 PM

@kamlesh_vaghela

Thank you very much for your help.

It worked perfect, I really appreciate your help.

Thank you my friend.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎12-26-2019 06:38 AM

The goal is a bit vague, but perhaps this will help. The stats command can combine the two indexes.

index=indexA OR index=indexB | stats values(*) as * by account
| table account AccountName other columns
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

flck
Path Finder
‎12-26-2019 07:19 AM

Hello, thanks for the answer.

The data found within the Indexes are the following:

IndexA:

account detail.check-item-detail.14-Day Average CPU Utilization
0000001 6.50%
0000002 1.80%

IndexB:

AccountName account
Name1 0000001
Name2 0000002

I have tried the solution given by richgalloway and it works partially, it replaces the AccountName and account columns in the IndexA but does not match.

In the following way it worked for me:

index = "IndexA" | table *
| join type = inner account [search index = "IndexB"]
| fields, "account", "AccountName"

I want to do some more tests before being sure that the query is 100% reliable.

Thank you.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎12-26-2019 02:29 PM

This method has been successful in the past, but my answer was incomplete. Please try my revised answer.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

mydog8it
Builder
‎12-26-2019 06:37 AM

Can you provide a sample set of the data?

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...