- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How can we join two sourcetypes together that have...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How can we join two sourcetypes together that have a common field?
How can we join fields of two source types, when one field is the same in both source types?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
try this.
index=itsm sourcetype=tsm_filespaces OR sourcetype=tsm_nodes|stats values(*) as * by node_name| dedup node_name,filespace_name | table node_name, platform_name, filespace_name,backup_end,host
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yes , I used Join ...
index=itsm sourcetype=tsm_filespaces |join node_name [search sourcetype=tsm_nodes] | dedup node_name,filespace_name | table node_name, platform_name, filespace_name,backup_end,host
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do node_name and filespace_name fields available in same sourcetype (single) OR both sourcetypes?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There could be multiple ways
Easiest to do might be through transaction
sourcetype="srcType1" OR sourcetype="srcType2" commonField=*
| transaction commonField
| table _time, eventcount, duration, _raw
However, stats might perform better based on use case. You will have to use combinations of first(), last(), min(), max() or values() etc for various fields that you want to work on after correlation
sourcetype="srcType1" OR sourcetype="srcType2" commonField=*
| stats count as eventcount by commonField
| search eventcount>1
You can also use append, appendcols, appendpipe, join,lookup etc based on your needs.
Refer to the following event correlation documentation for deciding on your choice: http://docs.splunk.com/Documentation/Splunk/latest/Search/Abouteventcorrelation
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As per your example
index=itsm sourcetype=tsm_filespaces OR sourcetype=tsm_nodes node_name=*
|stats values(filespacename) as filespacename values(platform_name) as platform_name values(backup_end) as backup_end values(host) as host by nodename
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There are various methods for it and which one will be best depends upon the output that you expect after joining them. Could you explain more on what is your end goal after joining those two sourcetype's data?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you looking for something like
(sourcetype=A OR sourcetype=B) commonfield=<value>
OR
(sourcetype=A OR sourcetype=B) |stats values(commonfield)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I want to make sure I understand.
You have Sourcetype A and Sourcetype B and both of them have Field X and you want to join these two sourcetypes together based on Field X?
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
