Solved: Dealing with multiple fields from different source...

Kavey · ‎04-25-2016

Hi,

here is my problem : I have a sourcetype A with a field X and Z and a sourcetype B with a field Y and Z. The thing I would like to do is using the field X and Z of sourcetype A and field Y of sourcetype B.

What is the simplest way to achieve this?

Thank you in advance for helping me 🙂

HeinzWaescher · ‎04-25-2016

You could use a field aliases for sourcetype B and rename fields, so that they don't have same names across your sourcetypes.

settings -> fields -> field aliases

View solution in original post

javiergn · ‎04-25-2016

Another way to easily differentiate field names dynamically is by using the following syntax:

| eval yourfieldname-{sourcetype} = yourfieldname

For instance, if you have a field Z in both sourcetype A and sourcetype B, you could do the following:

| eval fieldZ-{sourcetype} = fieldZ

And Splunk will dynamically create the following two fields for you based on the value of your sourcetype:

fieldZ-sourcetypeA
fieldZ-sourcetypeB

If there were more sourcetypes added later on this would still work.
Hope that helps.

Kavey · ‎04-25-2016

Thanks, that method helped too! 🙂

HeinzWaescher · ‎04-25-2016

You could use a field aliases for sourcetype B and rename fields, so that they don't have same names across your sourcetypes.

settings -> fields -> field aliases

Kavey · ‎04-25-2016

Thank you I didn't know about that feature it is indeed what I was looking for. However is there any other way to do this simply within the query ?

HeinzWaescher · ‎04-25-2016

You could also use eval & if to target specific sourcetypes

Like here in a stats command

... | stats sum(eval(if(sourcetype="A", Z, null()))) AS result

This sums up all values for Z if sourcetype="A"

Kavey · ‎04-25-2016

I didn't choose that method but it is a way to achieve what I want, thank you

ctaf · ‎04-25-2016

How about creating a field alias of the field Y of the sourcetype B?
Then it would have a different name and you will be able to do what you want.

ktugwell_splunk · ‎04-25-2016

Hey Kavey,

Take a look at the append command
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Append

You could do a subsearch to retrieve Z from sourcetype B.

Kavey · ‎04-25-2016

Hi, thanks for replying!

I already thought about it but I would like not to use a subsearch since it will affect the performance... Moreover the number of events that could be returned might be big

ktugwell_splunk · ‎04-25-2016

How about using eval to generate a new field identifying which sourcetype the data comes from?

... | eval Z1=IF(sourcetype=A, Z, NULL) | eval Z2=IF(sourcetype=B, Z, NULL)

Will that work for you?

Dealing with multiple fields from different sourcetype that have the same name

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!