Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- join two events with a common field
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
join two events with a common field
I want to join the below two events based on tid. For "Event1", there could be multiple" Event2"
Event1:
20171219.114132 myapp error statusCode=500 tid=14ec038e-ba3d-423d-836a-1c7b8fa3073d
Event2:
20171219.114132 Fn=makeRequest HttpStatusCode=401 ElapsedTime=79 tid=14ec038e-ba3d-423d-836a-1c7b8fa3073d
20171219.114132 Fn=makeRequest HttpStatusCode=200 ElapsedTime=50 tid=14ec038e-ba3d-423d-836a-1c7b8fa3073d
I have tried this so far but it doesn't give all the events -
index=myindex "myapp error" |join tid [search index=myindex Fn=makeRequest |fields tid, HttpStatusCode] |table tid, statusCode, HttpStatusCode
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @pankajad,
Can you please try search?
index=myindex "myapp error"
| append
[ search index=myindex Fn=makeRequest
| fields tid, HttpStatusCode]
| stats values(statusCode) as statusCode values(HttpStatusCode) as HttpStatusCode by tid
Check my sample search.
| makeresults
| eval _raw="20171219.114132 myapp error statusCode=500 tid=14ec038e-ba3d-423d-836a-1c7b8fa3073d"
| append
[| makeresults
| eval _raw="20171219.114132 Fn=makeRequest HttpStatusCode=401 ElapsedTime=79 tid=14ec038e-ba3d-423d-836a-1c7b8fa3073d"]
| append
[| makeresults
| eval _raw="20171219.114132 Fn=makeRequest HttpStatusCode=200 ElapsedTime=50 tid=14ec038e-ba3d-423d-836a-1c7b8fa3073d"]
| kv
| stats values(statusCode) as statusCode values(HttpStatusCode) as HttpStatusCode by tid
thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
would transaction not be of use here?
index=myindex ("myapp error" OR Fn=makeRequest) |transaction tid startswith="myapp error"|table tid, statusCode, HttpStatusCode
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This didn't work. I'm getting all events from "Fn=makeRequest "and "myapp error". It's not doing any join
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Transaction won’t join per se, it groups events based on a common field. tid in this case.
I have double checked my spl and I can’t see anything wrong, so am intrigued what it actually outputs for you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I made a slight change to the suggestion above, could you try it again?
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
