Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

how to compare and replace fields value on an indexA from a different fields on indexB

skylabsit
Engager
‎06-18-2020 07:23 AM

Hi,
I have an an indexA which have logs which includes data in each raw like:
User=11111,Language=English,Usage=btn_section1_1,Experience=btn_section2_4,Problems=btn_section4_8
Fields are extracted well here.


now I have imported to splunk using DB Connect (inputs) from sql server, a dictionary of key-value of "btns"
and it stored on indexB, with 2 fields for each event, looks like:
Key=btn_section1_1, Value="Often"
Key=btn_section2_4, Value="All OK"
... and so on...

Now I need to achieve in a query to join both indexes 
and then to have a table for each event, like below where I got the value from the IndexB which translate the actual "btn":
User   Language  Usage       Experience
1111  English      "Often    "All OK"

I appreciate for help

Thanks!


Labels (4)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎06-18-2020 08:00 AM

Hi @skylabsit ,

why didn't you used a lookup instead of index?

it's easier to manage and quicker!

 

Anyway, you could use join command or stats command:

using join (I don like join because it's very slow, but probably having few events in IndexB it could be sufficiently performant):

index=indexA
| join Experience [ search index=indexB | rename Key AS Experience Value AS Experience_Value | fields Experience Experience_Value ]
| table User Language Usage Experience_Value
| rename Experience_Value AS Experience

If you want also Problems, you could add another join similar to the first.

Using stats command, you could run something like this:

index=indexA OR index=IndexB
| rename Key AS Experience Value AS Experience_Value
| stats values(Experience_Value) AS Experience_Value BY User Language Usage Experience 
| table User Language Usage Experience_Value
| fields - Experience
| rename Experience_Value AS Experience

Ciao.

Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎06-18-2020 08:00 AM

Hi @skylabsit ,

why didn't you used a lookup instead of index?

it's easier to manage and quicker!

 

Anyway, you could use join command or stats command:

using join (I don like join because it's very slow, but probably having few events in IndexB it could be sufficiently performant):

index=indexA
| join Experience [ search index=indexB | rename Key AS Experience Value AS Experience_Value | fields Experience Experience_Value ]
| table User Language Usage Experience_Value
| rename Experience_Value AS Experience

If you want also Problems, you could add another join similar to the first.

Using stats command, you could run something like this:

index=indexA OR index=IndexB
| rename Key AS Experience Value AS Experience_Value
| stats values(Experience_Value) AS Experience_Value BY User Language Usage Experience 
| table User Language Usage Experience_Value
| fields - Experience
| rename Experience_Value AS Experience

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

skylabsit
Engager
‎06-25-2020 07:49 AM

Hi @gcusello 
thank you for your replies.
I test your suggestion, and the Join actually made the job. I got the required values .
an repeated the join for 3 more fields, and it works.

0 Karma
Reply
Solved! Jump to solution

skylabsit
Engager
‎06-25-2020 07:53 AM

@gcusello 
I wondered, I have do to same joining..but it with a dbxquery. and I cannot get it working..

I have a big DB table, that cannot imported in splunk, so what I am trying to make a lookup via dbxquery
but I need to pass param of account number into it from up query? is it possible?

| dbxlookup  connection="db-dev" query="SELECT AccountNumber  FROM DB.Customers  WHERE AccountNumber = "$AccountNumber$"



0 Karma
Reply
Get Updates on the Splunk Community!

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...

Combine multiline logs into a single event with SOCK - a step-by-step guide for newbies Olga Malita The ...