I have been searching through all of the similar questions on this site, and I believe my problem is that I have 2 different logging sources that have values I need, but the fields do not match. I have tried several subsearches, tried to coalesce field 1 and 3 (because they are the same information, just named differently grrrr), and I have been able to produce results with some of the dozens of iterations I've tried, but none of them are producing the combined table that I am looking for.
Here is the current (and probably simplest, to illustrate what I am trying to do) iteration of my search:
sourcetype=1 | rename field1 as Session_ID | append [search sourcetype=2 | rename field2 as Username | rename field3 as Session_ID] | stats count by sum(field4_size_in_bytes), Username, Session_ID, url | sort - sum(field4_size_in_bytes)
What I am trying to do with this search:
Begin with sourcetype1, and rename field1 (which only exists in sourcetype 1) to Session_ID.
Then I am trying to take field2 (which exists only in sourcetype2) and rename that to Username.
With field3, the name of the field itself is different on sourcetype2 than what is on sourcetype1, although the actual data is the same as field1. So I need to merge these two fields if possible (hence my attempts to use coalesce).
Then I want to have these fields all listed out in a statistical chart, in order, based on the field4 size in bytes.
I know this could probably be mitigated by simply renaming the fields in splunk to match each other, but that isn't really an option right now for reasons that would be too difficult to explain here.
... View more