Splunk Search

Joining two sourcetypes and adding the value of a field based on matching IDs

zd00191
Communicator

I have two source types

  1. autosys_job_def_dimension
  2. autosys_job_desc_dimension

The events in the sourcetype1 have a common field with the events in sourcetype2 which is JOB_DESC_ID

The events in sourcetype2 contain a field called DESCRIPTION

I want to add the description field to the events in sourcetype1 based on if the JOB_DESC_ID fields match.

This is what I have so far but I do no think that I am on the right track. Please help! Thanks!

   index=ko_autosys sourcetype=autosys_job_def_dimension | join type=left max=0 JOB_DESC_ID [search index=ko_autosys sourcetype=autosys_job_desc_dimension |fields + DESCRIPTION ] |table JOB_NAME DESCRIPTION
Tags (3)
0 Karma
1 Solution

woodcock
Esteemed Legend

Like this:

index=ko_autosys sourcetype=autosys_job_def_dimension OR sourcetype=autosys_job_desc_dimension | stats values(*) AS * BY JOB_DESC_ID | table JOB_NAME DESCRIPTION

View solution in original post

woodcock
Esteemed Legend

Like this:

index=ko_autosys sourcetype=autosys_job_def_dimension OR sourcetype=autosys_job_desc_dimension | stats values(*) AS * BY JOB_DESC_ID | table JOB_NAME DESCRIPTION

zd00191
Communicator

Do you think you could at

https://answers.splunk.com/answers/274838/table-cell-highlighting-cannot-seem-to-get-it-to-w.html

I edited the .js, .css, and xml based on the examples from the dashboard examples app but there are no highlights showing up in my table.

Thanks again.

0 Karma

woodcock
Esteemed Legend

Sorry, I have not done this before so I cannot speak to it.

0 Karma

zd00191
Communicator

I want my results to look like this

Job_Name DESCRIPTION

asghasgha hkjfdjhdljfhaldjkghljkadg

0 Karma

zd00191
Communicator

Sorry about that. I would like each row to contain one JOB_NAME and its DESCRIPTION. Unfortunately, the search above does not display the DESCRIPTION, and all of the job names end up in 1 row. Thank you again.

0 Karma

woodcock
Esteemed Legend

Both of your "dislikes" are a result of the joining field ( JOB_DESC_ID ) not being present in this source:

index=ko_autosys sourcetype=autosys_job_desc_dimension

Once you figure out what the real name of that field is, you can run this search and replace mysteryField with the correct field name:

index=ko_autosys sourcetype=autosys_job_def_dimension OR sourcetype=autosys_job_desc_dimension | eval JOB_DESC_ID=coalesce(JOB_DESC_ID,mysteryField) | stats values(*) AS * BY JOB_DESC_ID | table JOB_NAME DESCRIPTION
0 Karma

zd00191
Communicator

Perfect. Thank you so much for answering my questions all the time!

0 Karma

woodcock
Esteemed Legend

You really should be more clear about how the solution does not match your desire. In this case, the only thing that I can guess is that you don't like the capitalization of the job name. If so, just add this:

... | rename JOB_NAME AS Job_Name
0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...