Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Join two searches together and create a table

dpanych
Communicator
‎02-24-2016 01:48 PM

I have two searches that I want to combine into one:

index=calfile CALFileRequest.TPID=* CALFileRequest.SSN=* CALFileRequest.TransactionIdentifier=*
| rename CALFileRequest.TPID AS TPID, CALFileRequest.SSN AS SSN, CALFileRequest.TransactionIdentifier AS TransID 
| where TPID!=SSN
| table SSN TPID TransID

index=calfile \<CALFileResponse\> CALFileResponse.TransactionIdentifier=* _raw="*\<Street\>*"
| rename CALFileResponse.TransactionIdentifier AS TransID, "CALFileResponse.CALFileData.Street" AS Street
| table TransID Street

The first one returns:
SSN TPID TransID
---------------------------------------------------
123121234 123121234 1

The second one returns:
TransID Street
------------------------------
1 10 Box Ct.

How can I make a search that returns SSN, TPID, TransID, and Street?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎02-24-2016 02:22 PM

This probably be more efficient then join.

index=calfile (CALFileRequest.TPID=* CALFileRequest.SSN=* CALFileRequest.TransactionIdentifier=*) OR ( \<CALFileResponse\> CALFileResponse.TransactionIdentifier=* _raw="*\<Street\>*")
 | where isnull('CALFileRequest.TPID') OR 'CALFileRequest.TPID'!='CALFileRequest.SSN'
 | eval TransID=coalesce('CALFileRequest.TransactionIdentifier','CALFileResponse.TransactionIdentifier')
 | rename CALFileRequest.TPID AS TPID, CALFileRequest.SSN AS SSN  "CALFileResponse.CALFileData.Street" AS Street
 | stats values(Street) as Street, values(SSN) as SSN values(TPID) as TPID by TransID

Update
There could be some extra TransID in 2nd search, try something like this

index=calfile (CALFileRequest.TPID=* CALFileRequest.SSN=* CALFileRequest.TransactionIdentifier=*) OR ( \<CALFileResponse\> CALFileResponse.TransactionIdentifier=* _raw="*\<Street\>*")
 | where isnull('CALFileRequest.TPID') OR 'CALFileRequest.TPID'!='CALFileRequest.SSN'
 | eval TransID=coalesce('CALFileRequest.TransactionIdentifier','CALFileResponse.TransactionIdentifier')
 | rename CALFileRequest.TPID AS TPID, CALFileRequest.SSN AS SSN  "CALFileResponse.CALFileData.Street" AS Street
 | stats values(Street) as Street, values(SSN) as SSN values(TPID) as TPID by TransID | where isnotnull(SSN) OR isnotnull(TPID)

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎02-24-2016 02:22 PM

This probably be more efficient then join.

index=calfile (CALFileRequest.TPID=* CALFileRequest.SSN=* CALFileRequest.TransactionIdentifier=*) OR ( \<CALFileResponse\> CALFileResponse.TransactionIdentifier=* _raw="*\<Street\>*")
 | where isnull('CALFileRequest.TPID') OR 'CALFileRequest.TPID'!='CALFileRequest.SSN'
 | eval TransID=coalesce('CALFileRequest.TransactionIdentifier','CALFileResponse.TransactionIdentifier')
 | rename CALFileRequest.TPID AS TPID, CALFileRequest.SSN AS SSN  "CALFileResponse.CALFileData.Street" AS Street
 | stats values(Street) as Street, values(SSN) as SSN values(TPID) as TPID by TransID

Update
There could be some extra TransID in 2nd search, try something like this

index=calfile (CALFileRequest.TPID=* CALFileRequest.SSN=* CALFileRequest.TransactionIdentifier=*) OR ( \<CALFileResponse\> CALFileResponse.TransactionIdentifier=* _raw="*\<Street\>*")
 | where isnull('CALFileRequest.TPID') OR 'CALFileRequest.TPID'!='CALFileRequest.SSN'
 | eval TransID=coalesce('CALFileRequest.TransactionIdentifier','CALFileResponse.TransactionIdentifier')
 | rename CALFileRequest.TPID AS TPID, CALFileRequest.SSN AS SSN  "CALFileResponse.CALFileData.Street" AS Street
 | stats values(Street) as Street, values(SSN) as SSN values(TPID) as TPID by TransID | where isnotnull(SSN) OR isnotnull(TPID)
Reply
Solved! Jump to solution

dpanych
Communicator
‎02-24-2016 02:42 PM

Looks like it is partially working, how can I remove the blank SSN and TPID fields?
alt text

0 Karma
Reply
Solved! Jump to solution

stephanefotso
Motivator
‎02-24-2016 01:58 PM

Try this with appedncols http://docs.splunk.com/Documentation/Splunk/6.3.3/SearchReference/Appendcols

   index=calfile CALFileRequest.TPID=* CALFileRequest.SSN=* CALFileRequest.TransactionIdentifier=*
     | rename CALFileRequest.TPID AS TPID, CALFileRequest.SSN AS SSN, CALFileRequest.TransactionIdentifier AS TransID 
     | where TPID!=SSN
     | table SSN TPID TransID  | appendcols [search index=calfile \<CALFileResponse\> CALFileResponse.TransactionIdentifier=* _raw="*\<Street\>*"
 | rename CALFileResponse.TransactionIdentifier AS TransID, "CALFileResponse.CALFileData.Street" AS Street
 | table Street]

thanks

SGF
0 Karma
Reply
Get Updates on the Splunk Community!

Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know

To Community SOAR App Developers - we're reaching out with an important update regarding Python 3.9's ...

October Community Champions: A Shoutout to Our Contributors!

As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...

Automatic Discovery Part 2: Setup and Best Practices

In Part 1 of this series, we covered what Automatic Discovery is and why it’s critical for observability at ...