Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

combining fields from two log entries which have a common id that is named differently

dreeck
Path Finder
‎08-31-2018 06:20 PM

Base,

How can I combine two log entries that share a common ID when the field name of the ID is different between both entries?

Currently I'm using re-name to change my field names into strings that don't contain "-" (eval seems to hate "-"),

rename v.my-very-long-field-name.rid AS rid
then eval to give the unique field names a single name, and transact:

eval request_id=if(isnull(rid), req, rid)
transaction request_id |

Last thing: I table values from both log entries. Seems like it should work great... but... it doesn't.
I end up with table entries containing values from 1 log entry or the other, not both.

Help me Obi Wan...

Tags (1)
0 Karma
Reply

knielsen
Contributor
‎09-04-2018 04:51 AM

It would be helpful to see what you are doing with the data, other than "table". Maybe your use case can be done with

sourcetype=A OR sourcetype=B
| rename your.very.long.field.name as rid
| eval request_id=coalesce(req, rid)
| stats <your logic> by request_id
| table your result
0 Karma
Reply

horsefez
Motivator
‎09-01-2018 11:08 AM

Hi my very young padawan,

as you did not provide enough sample data or your full query I have to write in pseudo code.
What I will try is introduce you to subsearches. You can find more information about them here:
http://docs.splunk.com/Documentation/SplunkCloud/latest/SearchTutorial/Useasubsearch

index=logsource_A AND my-very-long-field-name.rid=* | rename my-very-long-field-name.rid AS rid
| join rid [search index=logsource_B AND rid=*]

0 Karma
Reply
Get Updates on the Splunk Community!

Your Guide to Splunk Digital Experience Monitoring

A flawless digital experience isn't just an advantage, it's key to customer loyalty and business success. But ...

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...