Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

multifield key between indexes

kp_pl
Path Finder
‎07-04-2024 11:38 PM 
index=db OR index=app
| eval join=if(index="db",processId,pid)
| stats sum(rows) sum(cputime) by join



Above is simple example how to join two indexes. But how to join two indexes where the key value has two fields ?

K.

 

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-05-2024 12:11 AM

Hi @kp_pl ,

yes, it's correct.

I'd use coalesce instead if:

index IN (db, app)
| eval key=coaesce(processId,pid)
| stats sum(rows) AS rown sum(cputime) AS cputime by key

Ciao.

Giuseppe

0 Karma
Reply

kp_pl
Path Finder
‎07-05-2024 12:57 AM

I suppose you do not understand my question . 

I need a join two indexes by two fields , Something like

| eval key=if(index="aaa", I1key1 , I2key1)
| eval key2=if(index="aaa", I1key2 , I2key2)
| stats values(*) as * by (key and  key2)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-05-2024 01:06 AM

Hi @kp_pl ,

I understood that you have key1 in ndex1 and key2 in index2 and you want to correate events from both the indexes.

using coalesce, you create a new field (caed key) that takes values from index1 (when present key1) or otherwise from index2 (key2).

then you correlate values using stats and you have values from both the indexes.

Ciao.

Giuseppe

0 Karma
Reply

kp_pl
Path Finder
‎07-05-2024 01:26 AM

everything you write is correct but it is not my case. 
Below my indexes with keys:
index1:  AAA
key values:  fieldA1 AND fieldA2

index2 : BBB
key values: fieldB1 AND fieldB2

so I suppose I need to do something like

| eval JOIN=if (index='AAA', fieldA1+"_"+fieldA2, fieldB1+"_"+fieldB2)

or in your way:

| eval key=coalesce(fieldA1+"_"+fieldA2 , fieldB1+"_"+fieldB2)


btw. In a few sources close to splunk I read IF is more efficient than COALESCE .   But of course both methods do more or less the same.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-05-2024 01:42 AM

Hi @kp_pl ,

yes, coalesce and if are the same, even if I always use coalesce.

I usually use "." instead "+".

let me summarize: for events from index A, you want to use to concatenated fields from this index, otherwise

two concatenated fieds from index B, is it correct?

in this case you could use:

| eval key=coalesce(fieldA1."_".fieldA2, fieldB1."_".fieldB2)

or in your way:

| eval JOIN=if(index="AAA", fieldA1."_".fieldA2, fieldB1."_".fieldB2)

let me know.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...

Splunk MCP & Agentic AI: Machine Data Without Limits

Discover how the Splunk Model Context Protocol (MCP) Server can revolutionize the way your organization uses ...