Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is it possible to match 2 different fields based on their values

WyldeRhoads
Engager
‎04-13-2015 04:50 PM

Is it possible to match 2 different fields based on their values?

I have a search (search1) based on user addresses,names,data, etc.. via stats count, and another search (search2) that collects a different group of addresses only that MIGHT also appear in search1. Both searches are in completely different indexes/sourcetypes and I'm trying to match ONLY addresses that might appear in search1 with the addresses in search2, while also populating the data that correlates with that same address in search1.

I'm trying to avoid using a lookup table if possible and in this situation I cannot do a index OR index + source OR source.

Here is what I've tried, which doesn't work... Can anyone help?

index=search1
| stats count by address1 name station
| appendcols
[ search index=search2
| stats count by address2
]
| stats count by address1 address2 name station
| eval correlate = if(match(address1,address2), "true", "false")
| stats count by correlate address1 address2 name station
| where correlate = true
| table address1, name, station

| rename address1 AS address <-- "address" would be the same as address1 and address2 (if they are matched)

Thank you in advance!

Tags (1)
0 Karma
Reply

stephanefotso
Motivator
‎04-13-2015 05:36 PM

I propose that you simply use the map command: Try something like this:

index=search1  | stats count by address1 name station| map search="search index=search2  address2=$address1$ "
SGF
0 Karma
Reply

gyslainlatsa
Motivator
‎04-13-2015 05:36 PM

hi wyldeRhoads,

try use the fonction if (X,Y,Z) for replace the fonction match(X,Y)

index=search1
| stats count by address1 name station  | appendcols  [ search index=search2 | stats count by address2 
| stats count by address1  address2 name station  | eval correlate = if (address1=address2, "true", "false")
| stats count by correlate address1 address2 name station | where correlate = true | table address1, name, station 
| rename address1 AS address

do not forget that the function match (X ,Y) compares the regex string to the Y value of X and returns a Boolean value; it returns T (true) if X matches the pattern defined by Y.

please forgive my english.

0 Karma
Reply

stephanefotso
Motivator
‎04-13-2015 05:22 PM

Why don't you try the map command?
http://docs.splunk.com/Documentation/Splunk/6.2.2/SearchReference/Map

SGF
0 Karma
Reply
Get Updates on the Splunk Community!

Index This | Why did the turkey cross the road?

November 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  &#x1f680; Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...