joining 2 sourcetypes - output different fields fr...

brdr · ‎03-01-2019

Hello,

I need a way to join different sourcetypes based on a field (alert) that is common in both sourcetypes. The name of the field is different but using rename and then joining I get back the alerts.

index=a sourcetype=event  | table event_alert | rename event_alert as incident_alert | join type=left incident_alert [ search index=a sourcetype=incident ]

The search returns event_alert from sourcetype event with the right number of events. However, there are fields from both sourcetypes that I need, and I can't find a solution to table them.

Fields needed from event sourcetype are: severity_name, created_by, created_on

Fields needed from incident sourcetype are: short_descr, inc_state_name, urgency

Any ideas would be helpful.

Thanks

tiagofbmm · ‎03-01-2019

Assuming you'd the incident_alert is a unique identifier, you don't really need to joint them I believe:

index=a (sourcetype=event OR sourcetype=incident) | rename event_alert as incident_alert | stats values(severity_name) as severity_name, values(created_by) as created_by, values(created_on) as created_on, values(short_descr), as short_descr, values(inc_state_name) as inc_state_name, values(urgency) as urgency by incident_alert

Let us know if this works

brdr · ‎03-01-2019

thanks @tiagofbmm.

I get the values from the fields from event sourcetype, but i do not get the values for fields from the incident sourcetype, which is where i was before....

brdr · ‎03-12-2019

would some other type of join work in this situation?

joining 2 sourcetypes - output different fields from both sourcetypes

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

.conf24 | Session Scheduler is Live!!

Introducing the Splunk Community Dashboard Challenge!