Splunk Search

Join two events and publish the fields

rbachu1
Explorer

Hi Everyone, 

I have two events like below on the same index though. I captured all fields through rex command but unable to join and publish the desired output. Kindly Help. Thank you

index=abc 

Event 1 :

caseStatus in update case :: CaseStatusToUpdate [caseId=12345, caseStatus=Active, timeStamp=Fri Mar 19 18:49:39 UTC 2021]

Event 2:

caseDetails :: [caseID=12345, type=Credit]

Output:

caseID, caseStatus, type, timeStamp

Labels (1)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @rbachu1,

the fields ara automatically extracted by Splunk because they are in the format field_name=field_value, but they have a different name, so to group them you have to rename one of them, then you can use the stats command to group them, something like this:

index=your_index
| rename caseId AS caseID
| stats values(caseStatus) AS caseStatus status(type) AS type values(timeStamp) AS timeStamp BY caseID

Ciao.

Giuseppe

View solution in original post

0 Karma

rbachu1
Explorer

Thank you, that helped. 🙂

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @rbachu1,

good for you, see next time!

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @rbachu1,

the fields ara automatically extracted by Splunk because they are in the format field_name=field_value, but they have a different name, so to group them you have to rename one of them, then you can use the stats command to group them, something like this:

index=your_index
| rename caseId AS caseID
| stats values(caseStatus) AS caseStatus status(type) AS type values(timeStamp) AS timeStamp BY caseID

Ciao.

Giuseppe

0 Karma

rbachu1
Explorer

Thank you for the reply. However, I am not using splunk  field extractor for extracting fields, I am using rex command, I have captured caseID from both the events using rex commands. but I am stuck in joining them and publish the case status as per  caseID. 

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @rbachu1,

if you use two regexes to extract fields is easier because you have only to use the same fieldname in both field extraction, in few words: to group events you need the same fieldname.

Then the approach with stats is the correct one, did you tried it?

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Exporting Splunk Apps

Join us on Monday, October 21 at 11 am PT | 2 pm ET!With the app export functionality, app developers and ...

Cisco Use Cases, ITSI Best Practices, and More New Articles from Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Build Your First SPL2 App!

Watch the recording now!.Do you want to SPL™, too? SPL2, Splunk's next-generation data search and preparation ...