Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I combine data from two different sources without the append or the union command?

atozeswar
New Member
‎12-05-2018 01:36 AM

Hi,

is there any way to combine data from two different sources without the append or the union command?

I have a code like this.. 

Index=csvl source="file1. Csv" or source="file2. Csv" |

First searching from some data from first source file1.csv
Next searching from some data from 2nd source file2.csv

At least I'm using append to combine both results. Is there any way to remove append or union from the query..?

Thank you..

Tags (1)
0 Karma
Reply

sdchakraborty
Contributor
‎12-05-2018 09:55 PM

Hi,
If you have matching fields in both the data sets you can use "join" command. like,

[data_set1]
| join type = inner/left
[data set 2]

Sid

0 Karma
Reply

bjoernjensen
Contributor
‎12-05-2018 08:48 AM

Hey,

that depends on your data. Does file1 and file2 have totally distinct columns?

If you want them to be combined you need some kind of "key" to match them. Or to be more specific: You need a "rule" which tells you a mapping of rows of file1 to rows of file2. And this mapping has to be a 1-to-1 relation, usually induced by a key value. This could be _time, could be a combination of values within each file.

If _time can be used as your key, you might work with bin _time span=1m and continue with stats latest(value) (keep in mind you are aggregating here and might "loose" a value using latest. Test this by using list()).

Hope that helps,
Björn

0 Karma
Reply

kmorris_splunk
Splunk Employee
Splunk Employee
‎12-05-2018 07:04 AM

Can you provide a little more detail on what you would like as the end result?

0 Karma
Reply

atozeswar
New Member
‎12-05-2018 05:38 PM

Some rows of data from file1 and some rows of data from files2. I need to append both and make a table but without using append..

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...