Splunk Search

How do I combine data from two different sources without the append or the union command?

atozeswar
New Member

Hi,

is there any way to combine data from two different sources without the append or the union command?

I have a code like this..

Index=csvl source="file1. Csv" or source="file2. Csv" |

First searching from some data from first source file1.csv
Next searching from some data from 2nd source file2.csv

At least I'm using append to combine both results. Is there any way to remove append or union from the query..?

Thank you..

Tags (1)
0 Karma

sdchakraborty
Contributor

Hi,
If you have matching fields in both the data sets you can use "join" command. like,

[data_set1]
| join type = inner/left
[data set 2]

Sid

0 Karma

bjoernjensen
Contributor

Hey,

that depends on your data. Does file1 and file2 have totally distinct columns?

If you want them to be combined you need some kind of "key" to match them. Or to be more specific: You need a "rule" which tells you a mapping of rows of file1 to rows of file2. And this mapping has to be a 1-to-1 relation, usually induced by a key value. This could be _time, could be a combination of values within each file.

If _time can be used as your key, you might work with bin _time span=1m and continue with stats latest(value) (keep in mind you are aggregating here and might "loose" a value using latest. Test this by using list()).

Hope that helps,
Björn

0 Karma

kmorris_splunk
Splunk Employee
Splunk Employee

Can you provide a little more detail on what you would like as the end result?

0 Karma

atozeswar
New Member

Some rows of data from file1 and some rows of data from files2. I need to append both and make a table but without using append..

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...