Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

how to join 2 different searches in a single index with different fileds and mapping them to the common field

balavenkatachal
New Member
‎06-21-2012 12:20 PM

how to join 2 different searches in a single index with different fileds and mapping them to the common field, please help :

My Problem Statement :

  1. I have a string string "Participant_System_Information" on the index = broker and i want to get the count and percentage of OSType and i use the below query and i get the result.

sourcetype="broker" host="g2m*" Participant_System_Information| top OSType

Result :

OSType count percent

Windows 45741 90.932766
MacOSX 4176 8.301857
iOS 385 0.765377

  1. I have a string string "createUpdateAttendeeResource" on the index = broker and i want to get the count and percentage of ClientName as i don't have the OSTYpe Filed and i get the result.

sourcetype="broker" host="g2m*" createUpdateAttendeeResource| top ClientName

ClientName count percent

android 193 100.000000

Now i want to combine the above 2 quries and get the combined result of OSType and i used the below query and i am not getting the accurate count :

sourcetype="broker" host="g2m*" (createUpdateAttendeeResource OR Participant_System_Information)|rename OSType as OS| rename ClientName as OS| top OS

OS count percent

Windows 483 67.458101
android 177 24.720670
MacOSX 56 7.821229

I think for some reason "rename" is not working as expected when combing the query, please help.

Tags (1)
0 Karma
Reply

balavenkatachal
New Member
‎06-21-2012 02:33 PM

Great , this seem to give the count that matches.
Thanks a lot !

0 Karma
Reply

lguinn2
Legend
‎06-21-2012 02:17 PM

I think that the last rename is always overwriting the previous value of the OS field and so you are losing information. Try this:

sourcetype="broker" host="g2m*" (createUpdateAttendeeResource OR Participant_System_Information) | 
rename OSType as OS | 
eval OS = if(OS=="" or isnull(OS),ClientName,OS) | 
top OS
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk APM & RUM | Upcoming Planned Maintenance

There will be planned maintenance of the streaming infrastructure for Splunk APM and Splunk RUM in the coming ...

Part 2: Diving Deeper With AIOps

Getting the Most Out of Event Correlation and Alert Storm Detection in Splunk IT Service Intelligence   Watch ...

User Groups | Upcoming Events!

If by chance you weren't already aware, the Splunk Community is host to numerous User Groups, organized ...