Splunk Search

Joining two sourcetypes and adding the value of a field based on matching IDs

zd00191
Communicator

I have two source types

  1. autosys_job_def_dimension
  2. autosys_job_desc_dimension

The events in the sourcetype1 have a common field with the events in sourcetype2 which is JOB_DESC_ID

The events in sourcetype2 contain a field called DESCRIPTION

I want to add the description field to the events in sourcetype1 based on if the JOB_DESC_ID fields match.

This is what I have so far but I do no think that I am on the right track. Please help! Thanks!

   index=ko_autosys sourcetype=autosys_job_def_dimension | join type=left max=0 JOB_DESC_ID [search index=ko_autosys sourcetype=autosys_job_desc_dimension |fields + DESCRIPTION ] |table JOB_NAME DESCRIPTION
Tags (3)
0 Karma
1 Solution

woodcock
Esteemed Legend

Like this:

index=ko_autosys sourcetype=autosys_job_def_dimension OR sourcetype=autosys_job_desc_dimension | stats values(*) AS * BY JOB_DESC_ID | table JOB_NAME DESCRIPTION

View solution in original post

woodcock
Esteemed Legend

Like this:

index=ko_autosys sourcetype=autosys_job_def_dimension OR sourcetype=autosys_job_desc_dimension | stats values(*) AS * BY JOB_DESC_ID | table JOB_NAME DESCRIPTION

View solution in original post

zd00191
Communicator

Do you think you could at

https://answers.splunk.com/answers/274838/table-cell-highlighting-cannot-seem-to-get-it-to-w.html

I edited the .js, .css, and xml based on the examples from the dashboard examples app but there are no highlights showing up in my table.

Thanks again.

0 Karma

woodcock
Esteemed Legend

Sorry, I have not done this before so I cannot speak to it.

0 Karma

zd00191
Communicator

I want my results to look like this

Job_Name DESCRIPTION

asghasgha hkjfdjhdljfhaldjkghljkadg

0 Karma

zd00191
Communicator

Sorry about that. I would like each row to contain one JOB_NAME and its DESCRIPTION. Unfortunately, the search above does not display the DESCRIPTION, and all of the job names end up in 1 row. Thank you again.

0 Karma

woodcock
Esteemed Legend

Both of your "dislikes" are a result of the joining field ( JOB_DESC_ID ) not being present in this source:

index=ko_autosys sourcetype=autosys_job_desc_dimension

Once you figure out what the real name of that field is, you can run this search and replace mysteryField with the correct field name:

index=ko_autosys sourcetype=autosys_job_def_dimension OR sourcetype=autosys_job_desc_dimension | eval JOB_DESC_ID=coalesce(JOB_DESC_ID,mysteryField) | stats values(*) AS * BY JOB_DESC_ID | table JOB_NAME DESCRIPTION
0 Karma

zd00191
Communicator

Perfect. Thank you so much for answering my questions all the time!

0 Karma

woodcock
Esteemed Legend

You really should be more clear about how the solution does not match your desire. In this case, the only thing that I can guess is that you don't like the capitalization of the job name. If so, just add this:

... | rename JOB_NAME AS Job_Name
0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!