Splunk Search

Join two events and publish the fields

rbachu1
Explorer

Hi Everyone, 

I have two events like below on the same index though. I captured all fields through rex command but unable to join and publish the desired output. Kindly Help. Thank you

index=abc 

Event 1 :

caseStatus in update case :: CaseStatusToUpdate [caseId=12345, caseStatus=Active, timeStamp=Fri Mar 19 18:49:39 UTC 2021]

Event 2:

caseDetails :: [caseID=12345, type=Credit]

Output:

caseID, caseStatus, type, timeStamp

Labels (1)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @rbachu1,

the fields ara automatically extracted by Splunk because they are in the format field_name=field_value, but they have a different name, so to group them you have to rename one of them, then you can use the stats command to group them, something like this:

index=your_index
| rename caseId AS caseID
| stats values(caseStatus) AS caseStatus status(type) AS type values(timeStamp) AS timeStamp BY caseID

Ciao.

Giuseppe

View solution in original post

0 Karma

rbachu1
Explorer

Thank you, that helped. 🙂

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @rbachu1,

good for you, see next time!

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @rbachu1,

the fields ara automatically extracted by Splunk because they are in the format field_name=field_value, but they have a different name, so to group them you have to rename one of them, then you can use the stats command to group them, something like this:

index=your_index
| rename caseId AS caseID
| stats values(caseStatus) AS caseStatus status(type) AS type values(timeStamp) AS timeStamp BY caseID

Ciao.

Giuseppe

0 Karma

rbachu1
Explorer

Thank you for the reply. However, I am not using splunk  field extractor for extracting fields, I am using rex command, I have captured caseID from both the events using rex commands. but I am stuck in joining them and publish the case status as per  caseID. 

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @rbachu1,

if you use two regexes to extract fields is easier because you have only to use the same fieldname in both field extraction, in few words: to group events you need the same fieldname.

Then the approach with stats is the correct one, did you tried it?

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...