Solved: How to build a table from two index sources with a...

nottheboss · ‎03-13-2018

I am completely new to splunk so correct me if i am wrong
i have 2 sources of data which contains status codes for the request with an id
1) index=some_index_1 source=some_source_1 status_code=* id=*
2) index=some_index_2 source=some_source_2 status_code=* id=*

i would like a table with
id, status_code (from index_1), status_code (from index_2)

how can i join the two data together and return a table with the fields?

elliotproebstel · ‎03-13-2018

This can be a start, and you can adjust it as needed:

index=some_index_1 OR index=some_index_2 source=some_source1 OR source=some_source_2 
| eval status_code_1=if(index=some_index_1, status_code, NULL), status_code_2=if(index=some_index_2, status_code, NULL)
| stats values(status_code_1) AS status_code_1, values(status_code_2) AS status_code_2 BY id

View solution in original post

elliotproebstel · ‎03-13-2018

This can be a start, and you can adjust it as needed:

index=some_index_1 OR index=some_index_2 source=some_source1 OR source=some_source_2 
| eval status_code_1=if(index=some_index_1, status_code, NULL), status_code_2=if(index=some_index_2, status_code, NULL)
| stats values(status_code_1) AS status_code_1, values(status_code_2) AS status_code_2 BY id

How to build a table from two index sources with a common id

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!