Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

matching two different events and create new table

Madhuranthakan
Loves-to-Learn Lots
‎07-13-2020 04:08 AM

Dear Folks,

I've the below two different type of events, the matching attributes from first event to second event are, (mainModify, headerIdSelection) <=> (modify, headerId)

<ar-1> [log@50 STAGE="dev" ACTION="SUBMISSION" TRX="[Input{selectedId='null', selectedProductId='null', isUser=false, selectionInput=SelectionInput [CreateId=5555555, technicalId=999999, modify=2015-09-01-10.03.23.075286, currency=USD, amount=200, headerIdSelection=3452345245, createdTicket=2020-06-7-13.06.53.232320\], client=false}, SelectionOutput{mainModify='2020-06-06-13.08.04.204797', technicalId='null', modify='null'}\]" EVENT="SELECTION" USER_ID="Eer343b"] instance="bar"] Log


<ar-1> [log@50 STAGE="dev" ACTION="SELECTION" TRX="[Input{selectedId='1111111111', selectedProductId='00000', propertyId='null', isUser=false, client=false}, SelectionCollection{ProcNumber='222222222', productId='00000',
allSelection=[ProductDetails{validity=24, percent=0.59000000, modify='2020-06-06-13.08.03.934946', headerId='3452345245'}, ProductDetails{validity=3, percent=0.57, modify='2020-06-06-13.08.04.158208', headerId='3452345245'},
ProductDetails{validity=9, percent=0.57, modify='2020-06-06-13.08.04.168807', headerId='3452345245'},
ProductDetails{validity=12, percent=0.58, modify='2020-06-06-13.08.04.204797', headerId='3452345245'},
ProductDetails{validity=15, percent=0.63, modify='2020-06-06-13.08.04.221864', headerId='3452345245'},
ProductDetails{validity=20, percent=0.69, modify='2020-06-06-13.08.04.252901', headerId='3452345245'},
ProductDetails{validity=25, percent=0.71, modify='2020-06-06-13.08.04.263227', headerId='3452345245'},
ProductDetails{validity=100, percent=0.73, modify='2020-06-06-13.08.04.298523', headerId='3452345245'}\]}\]" EVENT="SELECTION" USER_ID="Eer343b" instance="bar"] Log

I need to extract the output as a table like below,

CreateId, | technicalId | mainModify | headerId | selectedId | selectedProductId | validity | percent
5555555 | 999999 | 2020-06-06-13.08.04.204797 | 3452345245 | 1111111111 | 00000 | 12 | 0.58


The selection of validity & percent attributes on the second event must be matching to the specific ProductDetails element to the mainModify and headerIdSelection from the first event.

Could you please guide, how can I acheive such result? I tried with the join of first event to the second event as inner join but couldn't get it work.

Thank you in advance for the help.

Labels (4)
0 Karma
Reply
Get Updates on the Splunk Community!

OpenTelemetry for Legacy Apps? Yes, You Can!

This article is a follow-up to my previous article posted on the OpenTelemetry Blog, "Your Critical Legacy App ...

UCC Framework: Discover Developer Toolkit for Building Technology Add-ons

The Next-Gen Toolkit for Splunk Technology Add-on Development The Universal Configuration Console (UCC) ...

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...