Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Is it possible to match 2 different fields based o...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is it possible to match 2 different fields based on their values
Is it possible to match 2 different fields based on their values?
I have a search (search1) based on user addresses,names,data, etc.. via stats count, and another search (search2) that collects a different group of addresses only that MIGHT also appear in search1. Both searches are in completely different indexes/sourcetypes and I'm trying to match ONLY addresses that might appear in search1 with the addresses in search2, while also populating the data that correlates with that same address in search1.
I'm trying to avoid using a lookup table if possible and in this situation I cannot do a index OR index + source OR source.
Here is what I've tried, which doesn't work... Can anyone help?
index=search1
| stats count by address1 name station
| appendcols
[ search index=search2
| stats count by address2
]
| stats count by address1 address2 name station
| eval correlate = if(match(address1,address2), "true", "false")
| stats count by correlate address1 address2 name station
| where correlate = true
| table address1, name, station
| rename address1 AS address <-- "address" would be the same as address1 and address2 (if they are matched)
Thank you in advance!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I propose that you simply use the map command: Try something like this:
index=search1 | stats count by address1 name station| map search="search index=search2 address2=$address1$ "
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi wyldeRhoads,
try use the fonction if (X,Y,Z) for replace the fonction match(X,Y)
index=search1
| stats count by address1 name station | appendcols [ search index=search2 | stats count by address2
| stats count by address1 address2 name station | eval correlate = if (address1=address2, "true", "false")
| stats count by correlate address1 address2 name station | where correlate = true | table address1, name, station
| rename address1 AS address
do not forget that the function match (X ,Y) compares the regex string to the Y value of X and returns a Boolean value; it returns T (true) if X matches the pattern defined by Y.
please forgive my english.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why don't you try the map command?
http://docs.splunk.com/Documentation/Splunk/6.2.2/SearchReference/Map
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
Network to App: Observability Unlocked [May & June Series]
