Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Two index has same field names, change the name

Godspeed_74
Loves-to-Learn Lots
‎04-21-2021 06:36 AM

I am trying to create a search in which I'm using 2 different indexes, and want to produce and combined result as a table. The table should have some fields from both the indexes. There is one filed in both the indexes, with the same name, so I can't pull results from that field.
index 1 has a filed called URL and index 2 has a filed also called URL. I want to change the name of the field in one index, eg: URL to URL_1 for index 1.

Labels (1)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎04-21-2021 06:49 AM 
index=index1 OR index=index2 
| eval URL2=if(index="index2",URL,null)
| eval URL=if(index="index1",URL,null)
0 Karma
Reply

aasabatini
Motivator
‎04-21-2021 06:40 AM

Hi @Godspeed_74 

 

use eval condition:

 

eval url_1=if(index=index1,url,"")
“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...