Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Merge 2 queries base on id

shrogers
Loves-to-Learn Everything
‎10-13-2021 09:49 AM

Need some assistance from the experts.

I have two queries below which I would like to merge on id.

Query 1

index=aws sourcetype=aws:cloudtrail eventName=RebootInstances | table _time userName sourceIPAddress requestParameters.instancesSet.items{}.instanceId
| rename requestParameters.instancesSet.items{}.instanceId as id

Query 2

index=aws sourcetype=aws:description source="us-east-2:ec2_instances" | table id private_ip_address

 

I would like the final table fields to be:

time  userName  sourceIPAddress    id   private_ip_address

 

Any assistance given will be appreciated.

Labels (1)
Labels
Tags (1)
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎10-13-2021 02:47 PM

Try this

(index=aws sourcetype=aws:cloudtrail eventName=RebootInstances) OR
(index=aws sourcetype=aws:description source="us-east-2:ec2_instances")
| eval id=coalesce(id, 'requestParameters.instancesSet.items{}.instanceId')
| eval _time=if(sourcetype="aws:cloudtrail", _time, null())
| fields _time userName sourceIPAddress private_ip_address id
| stats values(*) as * by id

 It searches both data sets.

  • id is then set as either id OR the instanceId in the coalesce statement.
  • _time is set to null if it is the description sourcetype, forcing _time to come from the cloudtrail event
  • fields are then limited to the ones specified
  • stats takes the values of all fields and effectively merges the data on the id field

Hope this helps

 

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎10-13-2021 09:56 AM

@shrogers 

Can you please try this?

index=aws (sourcetype=aws:cloudtrail eventName=RebootInstances) OR (sourcetype=aws:description source="us-east-2:ec2_instances")
| fields _time userName sourceIPAddress requestParameters.instancesSet.items{}.instanceId id private_ip_address 
| rename requestParameters.instancesSet.items{}.instanceId as id
| stats latest(_time) as _time values(userName) as userName values(sourceIPAddress) as sourceIPAddress values(private_ip_address) as private_ip_address by id
| table time  userName  sourceIPAddress    id private_ip_address

 

KV 

0 Karma
Reply

shrogers
Loves-to-Learn Everything
‎10-13-2021 10:02 AM

Hi Kamlesh,

Thank you for your quick response.

Unfortunately, the time and private_id_address are not being populated.

 

Regards,

Sheldon

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...