Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- matching two different events and create new table
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
matching two different events and create new table
Dear Folks,
I've the below two different type of events, the matching attributes from first event to second event are, (mainModify, headerIdSelection) <=> (modify, headerId)
<ar-1> [log@50 STAGE="dev" ACTION="SUBMISSION" TRX="[Input{selectedId='null', selectedProductId='null', isUser=false, selectionInput=SelectionInput [CreateId=5555555, technicalId=999999, modify=2015-09-01-10.03.23.075286, currency=USD, amount=200, headerIdSelection=3452345245, createdTicket=2020-06-7-13.06.53.232320\], client=false}, SelectionOutput{mainModify='2020-06-06-13.08.04.204797', technicalId='null', modify='null'}\]" EVENT="SELECTION" USER_ID="Eer343b"] instance="bar"] Log
<ar-1> [log@50 STAGE="dev" ACTION="SELECTION" TRX="[Input{selectedId='1111111111', selectedProductId='00000', propertyId='null', isUser=false, client=false}, SelectionCollection{ProcNumber='222222222', productId='00000',
allSelection=[ProductDetails{validity=24, percent=0.59000000, modify='2020-06-06-13.08.03.934946', headerId='3452345245'}, ProductDetails{validity=3, percent=0.57, modify='2020-06-06-13.08.04.158208', headerId='3452345245'},
ProductDetails{validity=9, percent=0.57, modify='2020-06-06-13.08.04.168807', headerId='3452345245'},
ProductDetails{validity=12, percent=0.58, modify='2020-06-06-13.08.04.204797', headerId='3452345245'},
ProductDetails{validity=15, percent=0.63, modify='2020-06-06-13.08.04.221864', headerId='3452345245'},
ProductDetails{validity=20, percent=0.69, modify='2020-06-06-13.08.04.252901', headerId='3452345245'},
ProductDetails{validity=25, percent=0.71, modify='2020-06-06-13.08.04.263227', headerId='3452345245'},
ProductDetails{validity=100, percent=0.73, modify='2020-06-06-13.08.04.298523', headerId='3452345245'}\]}\]" EVENT="SELECTION" USER_ID="Eer343b" instance="bar"] Log
I need to extract the output as a table like below,
CreateId, | technicalId | mainModify | headerId | selectedId | selectedProductId | validity | percent
5555555 | 999999 | 2020-06-06-13.08.04.204797 | 3452345245 | 1111111111 | 00000 | 12 | 0.58
The selection of validity & percent attributes on the second event must be matching to the specific ProductDetails element to the mainModify and headerIdSelection from the first event.
Could you please guide, how can I acheive such result? I tried with the join of first event to the second event as inner join but couldn't get it work.
Thank you in advance for the help.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
May 2026 Splunk Expert Sessions: Security & Observability
Network to App: Observability Unlocked [May & June Series]
SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...
