I want to compute a join of an extracted, multi-value SourceTypeA:field_a string variable with an extracted SourceTypeB:field_b string variable.
I've received a partial answer on how to do a "detour join" in Splunk via Intersect and Stats:
(sourcetype="SourceTypeA" ...) OR (sourcetype="SourceTypeB" ...)
| eval c = if (sourcetype=="SourceTypeA", SourceTypeA:field_a, SourceTypeB:field_b)
| stats values (x) values (y) values(z) by c
I'm guessing the searches (for the extracted, multi-value field_a and extracted field_b) go in the sourcetype clauses above.
I want to output the values where SourceTypeA:field_a = SourceTypeB:field_b.
Thanks for your help.
You have the correct solution, even for multi-value
fields, except for the whitespaces between values
and (
; this should work fine:
(sourcetype="SourceTypeA" ...) OR (sourcetype="SourceTypeB" ...) | eval joiner = if (sourcetype=="SourceTypeA", SourceTypeA:field_a, SourceTypeB:field_b) | stats values(*) AS * by joiner
Which field do you want to display from SourceTypeA and SourceTypeB? The recipe is the same regardless of whether field_a and field_b are multivalued.