×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
v11n
New Member
Member since: ‎12-22-2021
‎12-22-2021
Community Statistics
Posts 1
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎12-22-2021
Activity Feed
Topics I've Started
View All

Re: Join issue

by SplunkTrust in Splunk Search
‎12-22-2021 01:43 PM
‎12-22-2021 01:43 PM
You need to grab the fields from your ST2 data row with rex, e.g. try this example | makeresults | eval x=split("id=1 title=one,id=2 title=two,id=3 title=three", ",") | mvexpand x | eval _raw=x | extract | table id title _raw | append [ | makeresults | eval _raw="1 \"GET https://www.example.com?q1=one\" 2 \"GET https://www.example.com?q1=test&q2=test2\" 3 \"GET https://www.example.com?q3=thr\"" | multikv noheader=t | table _raw ] | rex field=_raw "^(?<id>\d+).*\?(?<params>.*)" | stats values(*) as * by id | table id title params  Note that the rex statement must only grab the id and params from the ST2 sourcetypes, so this relies on _raw from ST1 NOT matching the rex pattern, so that id from the ST1 is not overwritten by an extraction.   ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎12-22-2021 03:24 PM