Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

merge two sourcetypes that have the same data but different field names

supersnedz
Path Finder
‎01-29-2020 06:59 AM

Hello,

I have two sourcetypes in the same index, however the fields names are different. Is it possible to rename both fields to the same and then search for a value in the newly named field?

Both my sourcetypes and fields are as follows:

index=siem_cyber_ca sourcetype=cs:epv:cef externalid="\\"0538ef14-4281-11ea-a80f-005056af449f\\""
index=siem_cyber_ca sourcetype=cs:pta:cef cs1="0538ef14-4281-11ea-a80f-005056af449f"

I would like both externalid and cs1 to be called the same name, so i can search for 0538ef14-4281-11ea-a80f-005056af449f and recieve both set of results.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎01-29-2020 07:24 AM

If I understand the question, there are a few ways to do that. The first is with OR

index=siem_cyber_ca (sourcetype=cs:epv:cef OR sourcetype=cs:pta:cef) (externalid=foo OR cs1=foo)

Or you could give both fields a common name and then search them.

index=siem_cyber_ca (sourcetype=cs:epv:cef OR sourcetype=cs:pta:cef) (externalid=* OR cs1=*)
| eval searchField = coalesce(externalid, cs1)
| search searchField = foo

Like you suggested, you could also rename both fields.

index=siem_cyber_ca (sourcetype=cs:epv:cef OR sourcetype=cs:pta:cef) (externalid=* OR cs1=*)
| rename externalid as searchField, cs1 as searchField
| search searchField = foo
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

abhijeet01
Path Finder
‎01-29-2020 11:19 PM

Hi supersnedz,

Understood.

You can try below command .

index=siem_cyber_ca (sourcetype= "cs:epv:cef" OR sourcetype="cs:pta:cef") | rex field=_raw ((externalid=)\"\\\"|(cs1=)\")(?P[a-z0-9-]*) | stats count(xyz) as XYZ by XYZ .

You don't need to rename field . The regex command will create new/rename field.

Thanks,
Abhijeet B.

Reply
Solved! Jump to solution

supersnedz
Path Finder
‎01-30-2020 02:58 AM

Thank you, at first i had unbalanced quotes, but its sorted. Thanks again

0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎01-30-2020 12:54 AM

please use code sample

0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎01-29-2020 10:20 PM 
Fields » Calculated fields » Add new

Destination app: search   
Apply to sourcetype  named: cs:epv:cef
Name: cs1
Eval expression:  coalesce(replace(externalid,"\\\\\"",""),cs1)

Hi, try Calculated fields and use fieldname cs1

|makeresults
|eval externalid="\\\"0538ef14-4281-11ea-a80f-005056af449f\\\""
|eval cs1=coalesce(replace(externalid,"\\\\\"",""),cs1)

the result is like above.

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎01-29-2020 07:24 AM

If I understand the question, there are a few ways to do that. The first is with OR

index=siem_cyber_ca (sourcetype=cs:epv:cef OR sourcetype=cs:pta:cef) (externalid=foo OR cs1=foo)

Or you could give both fields a common name and then search them.

index=siem_cyber_ca (sourcetype=cs:epv:cef OR sourcetype=cs:pta:cef) (externalid=* OR cs1=*)
| eval searchField = coalesce(externalid, cs1)
| search searchField = foo

Like you suggested, you could also rename both fields.

index=siem_cyber_ca (sourcetype=cs:epv:cef OR sourcetype=cs:pta:cef) (externalid=* OR cs1=*)
| rename externalid as searchField, cs1 as searchField
| search searchField = foo
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

supersnedz
Path Finder
‎01-30-2020 02:57 AM

Thank you this works wonders

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎01-29-2020 07:23 AM

Hi @supersnedz,
you can follow two ways:

  • create for one of the sourcetypes an alias for the field (e.g. cs1 AS externalid) in [Settings -- Fields -- Field Aliases];
  • use eval and coalesce in your searches e.g. index=siem_cyber_ca | eval externalid=coalesce(externalid,cs1).

There's also a third choice because I see that the field value in externalid is a little bit different than cs1: extract from externalid the value using rex: | rex field=externalid "\"\\\\\\\"(?<externalid>[^\!]*)".

Ciao.
Giuseppe

Reply
Get Updates on the Splunk Community!

Good Sourcetype Naming

When it comes to getting data in, one of the earliest decisions made is what to use as a sourcetype. Often, ...

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...

Splunk App for Anomaly Detection End of Life Announcement

Q: What is happening to the Splunk App for Anomaly Detection?A: Splunk is officially announcing the ...