How to combine information from 2 different source...

Susannajuurinen · ‎01-26-2014

Hi!

I have a small problem here.. I have two different sourcetypes named 'server' and 'metrics'.
Server-sourcetype has fields named customername, servername and server_id.
Metrics-sourcetype has fields _time, server_id, meter, value.
There are several different meters and many values per meter.

I'm trying to combine these two. I have a populating scrolldown-input for selecting server (as a $server$) but I'm unable to find information from metrics-sourcetype with the name of the server (server_id is the key value).

I have tried almost everything but nothing seems to be working.. Output should be a table or list of time , meters and values by the meter. Can you please help me with this one?

alacercogitatus · ‎01-26-2014

Try combining with a join (kinda expensive search-wise - but should get the job done)

sourcetype=Metrics | join server_id [ search sourcetype=Server ] | eval rk=meter.":".servername | timechart avg(value) by rk

You can also use a lookup - generate it from your Serversourcetype.

sourcetype=Server | table server_id servername customername | outputlookup servers.csv

Then use it in your search

sourcetype=Metrics | lookup servers.csv server_id | eval rk=meter.":".servername | timechart avg(value) by rk

alacercogitatus · ‎01-31-2014

If this answered your question, please mark it accepted. Thanks.

Susannajuurinen · ‎01-27-2014

Thank you so much! This helped me a lot.

How to combine information from 2 different sources?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life