- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to join data and extract field values as field...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to join data and extract field values as field names?
How to change event field values into field name?
Event log sample1:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
id, code, message
1, 1111, "one"
3, 12345, "three"
Event log sample2:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`
id, keyname, keyvalue
1, name , john
1, place, richmond
1, activity, login
1, environment, mobile
2, name , bob
2, lastname, bill
3, name, charle
3, location, newyork
3, activity, transaction
4 name, Danny
4 lastname, Huber
5, name, eugene
Both event have common field called "id". I will join both data searches using join command.
e.g: index=abc code=111 | join id [search index=blah ]
But my requirement is, for the above search when the code is 111, i need get the table in following format
id, code, message, name, place, activity, environment
1 , 1111, "one", john, richmond, login, mobile
Please note that, the values of keyname and keyvalue are become field-name and its values respectively. Please let me know how to do this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this
index=abc code=1111 | join id [search index=blah | xyseries id keyname keyvalue]
OR
index=abc code=1111 | join id [search index=blah | chart first(keyvalue) over id by keyname]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this
index=abc code=1111 | join id[search index=blah | chart first(keyvalue) by id keyname]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In your question, you said you need it for code 1111. Take out the condition code=1111 and execute the search.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for ur response.
The above searching is putting keyname parameter values as column variables (this 100% fine). But the value from keyvalue is displayed only for one column variable ( created from keyname) per id.
Updated Team Landing Page in Splunk Observability
New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
