Hi Everyone,
I have two events like below on the same index though. I captured all fields through rex command but unable to join and publish the desired output. Kindly Help. Thank you
index=abc
Event 1 :
caseStatus in update case :: CaseStatusToUpdate [caseId=12345, caseStatus=Active, timeStamp=Fri Mar 19 18:49:39 UTC 2021]
Event 2:
caseDetails :: [caseID=12345, type=Credit]
Output:
caseID, caseStatus, type, timeStamp
Hi @rbachu1,
the fields ara automatically extracted by Splunk because they are in the format field_name=field_value, but they have a different name, so to group them you have to rename one of them, then you can use the stats command to group them, something like this:
index=your_index
| rename caseId AS caseID
| stats values(caseStatus) AS caseStatus status(type) AS type values(timeStamp) AS timeStamp BY caseID
Ciao.
Giuseppe
Thank you, that helped. 🙂
Hi @rbachu1,
good for you, see next time!
Ciao and happy splunking.
Giuseppe
P.S.: Karma Points are appreciated 😉
Hi @rbachu1,
the fields ara automatically extracted by Splunk because they are in the format field_name=field_value, but they have a different name, so to group them you have to rename one of them, then you can use the stats command to group them, something like this:
index=your_index
| rename caseId AS caseID
| stats values(caseStatus) AS caseStatus status(type) AS type values(timeStamp) AS timeStamp BY caseID
Ciao.
Giuseppe
Thank you for the reply. However, I am not using splunk field extractor for extracting fields, I am using rex command, I have captured caseID from both the events using rex commands. but I am stuck in joining them and publish the case status as per caseID.
Hi @rbachu1,
if you use two regexes to extract fields is easier because you have only to use the same fieldname in both field extraction, in few words: to group events you need the same fieldname.
Then the approach with stats is the correct one, did you tried it?
Ciao.
Giuseppe