I have two source types
The events in the sourcetype1 have a common field with the events in sourcetype2 which is JOB_DESC_ID
The events in sourcetype2 contain a field called DESCRIPTION
I want to add the description field to the events in sourcetype1 based on if the JOB_DESC_ID fields match.
This is what I have so far but I do no think that I am on the right track. Please help! Thanks!
index=ko_autosys sourcetype=autosys_job_def_dimension | join type=left max=0 JOB_DESC_ID [search index=ko_autosys sourcetype=autosys_job_desc_dimension |fields + DESCRIPTION ] |table JOB_NAME DESCRIPTION
Like this:
index=ko_autosys sourcetype=autosys_job_def_dimension OR sourcetype=autosys_job_desc_dimension | stats values(*) AS * BY JOB_DESC_ID | table JOB_NAME DESCRIPTION
Like this:
index=ko_autosys sourcetype=autosys_job_def_dimension OR sourcetype=autosys_job_desc_dimension | stats values(*) AS * BY JOB_DESC_ID | table JOB_NAME DESCRIPTION
Do you think you could at
https://answers.splunk.com/answers/274838/table-cell-highlighting-cannot-seem-to-get-it-to-w.html
I edited the .js, .css, and xml based on the examples from the dashboard examples app but there are no highlights showing up in my table.
Thanks again.
Sorry, I have not done this before so I cannot speak to it.
I want my results to look like this
asghasgha hkjfdjhdljfhaldjkghljkadg
Sorry about that. I would like each row to contain one JOB_NAME and its DESCRIPTION. Unfortunately, the search above does not display the DESCRIPTION, and all of the job names end up in 1 row. Thank you again.
Both of your "dislikes" are a result of the joining field ( JOB_DESC_ID
) not being present in this source:
index=ko_autosys sourcetype=autosys_job_desc_dimension
Once you figure out what the real name of that field is, you can run this search and replace mysteryField
with the correct field name:
index=ko_autosys sourcetype=autosys_job_def_dimension OR sourcetype=autosys_job_desc_dimension | eval JOB_DESC_ID=coalesce(JOB_DESC_ID,mysteryField) | stats values(*) AS * BY JOB_DESC_ID | table JOB_NAME DESCRIPTION
Perfect. Thank you so much for answering my questions all the time!
You really should be more clear about how the solution does not match your desire. In this case, the only thing that I can guess is that you don't like the capitalization of the job name. If so, just add this:
... | rename JOB_NAME AS Job_Name