Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Map column from another table to my currently used table

Jimenez
Explorer
‎01-24-2025 02:12 AM

Hi all,

I have the following issue. I have a table A 

col1col2
Aaa
Bbb
Caa

 

And a table B

colAcolB
aaFYI
bbLOL

 

I need to add to table A the column colB based on the matching values from col1 (table A) and colA (table B) and it should look like:

col1colBcol2
AFYIaa
BLOLbb
CFYIaa

 

so basically map the values from col2 to colA and add colB based on the matches

Thanks for your support,

Labels (2)
Labels
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎01-25-2025 10:52 PM

As with any good languages, there are many ways to do this.  A simple and semantically expressive method is to use coalesce.

sourcetype IN (tableA, tableB)
| eval col2 = coalesce(col2, colA)
| stats values(col1) as col1 values(colB) as colB by col2

 

Tags (1)
Reply

PickleRick
SplunkTrust
SplunkTrust
‎01-26-2025 01:04 AM

Right. Didn't notice the columns were not named the same in both sourcetypes.

0 Karma
Reply

Jimenez
Explorer
‎01-24-2025 05:06 AM

They are actually results coming from different event types. Each event contains different fields.

 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎01-24-2025 07:08 AM

Yes. But are those results of some searches that you want to "merge" or do you simply have two different sourcetypes from which different sets of fields are extracted?

If it's the latter, your solution should be relatively simple

<some restriction on index(es)> sourcetype IN (sourcetype1, sourcetype2)
| stats values(colA) as colA values(colB) as colB values(col1) as col1 values(col2) as col2 [...] by common_column

If you want all columns, you might simply go with

values(*) as *
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎01-24-2025 05:23 AM
Are those tables individual sourcetypes on index or results of your SPL queries? If last, can you share it so we can modify it to create your requested result?
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎01-24-2025 04:09 AM

What do you mean by "table"? There are several different possible approaches depending on where those "tables" come from.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...